Welcome to another issue of (IN)SECURE, packed with a variety of security articles for all levels of knowledge. With pressure related to PCI compliance growing as the year progresses, we offer some insight into the topic. We have an interview with Jeremiah Grossman from WhiteHat Security who will give you some interesting details when it comes to web application security. There’s also material about keyloggers, Network Access Control, Windows security, and much more.

In collaboration with Addison-Wesley and Cisco Press, we have a book giveaway where 5 lucky readers will get some free knowledge. What are you waiting for?

Mirko Zorz Chief Editor

Visit the magazine website at www.insecuremag.com

(IN)SECURE Magazine contacts

Feedback and contributions: Mirko Zorz, Chief Editor - [email protected]

Marketing: Berislav Kucan, Director of Marketing - [email protected]

Distribution

(IN)SECURE Magazine can be freely distributed in the form of the original, non modified PDF document. Distribution of modified versions of (IN)SECURE Magazine content is prohibited without the explicit permission from the editor. For reprinting information please send an email to [email protected] or send a fax to 1-866-420-2598.

Copyright HNS Consulting Ltd. 2007. www.insecuremag.com Take care of spam on your phpBB forum with bbAntiSpam

bbAntiSpam released bbAntiSpam Advanced Textual Confirmation 1.0.2. This PHP script will help users build rock-solid protection against spam messages for their phpBB, vBulletin, WordPress, Wiki, or a guestbook. The bbAn- tiSpam script works transparently between visi- tors and a PHP application. When some one at- tempts to submit data, the script comes to life and starts the confirmation process. It will select a random question from its database and wait for the visitor to give the correct answer. Once it’s provided, the request of the visitor is forwarded to the web application. (www.bbantispam.com)

Requirements for the CISSP certificate will be raised

(ISC)2 announced its board of directors has approved new professional experi- ence and endorsement requirements for the Certified Information Systems Secu- rity Professional (CISSP) certification. Effective 1 October 2007, the minimum ex- perience requirement for certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK, a taxonomy of information security topics recognized by professionals worldwide, or four years of work experience with an applicable col- lege degree or a credential from the (ISC)2-approved list. Currently, CISSP candidates are re- quired to have four years of work experience or three years of experience with an applicable col- lege degree or a credential from the (ISC)2-approved list, in one or more of the 10 domains of the CISSP CBK. (www.isc2.org) www.insecuremag.com 5 First geographical load balancing SSL VPN

AEP Networks announced the AEP Netilla Security Platform (NSP) Release 5.6, in which the standard load-balancing configu- rations now enable geographical load balancing, providing load sharing and fail-over between independent NSP clusters in geo- graphically diverse data centers. It is configurable by the enter- prise as active-active for organizations self-insuring against a failure in their owned data centers or as active-passive for customers using a standby/backup disaster recovery facility service, such as those provided by IBM or Sungard. (www.aepnetworks.com)

SonicWALL Network Security Appliance E7500 unveiled

SonicWALL unveiled the SonicWALL Network Security Ap- pliance (NSA) E7500, a new gateway security appliance that makes deep packet inspection security productive and easy to manage in larger network deployments. Designed to en- able the highest level of UTM performance at its price point, the NSA E7500 is intended for campus networks, distributed environments and data centers. The NSA E7500 features SonicWALL’s characteristic ease of management combined with low cost of ownership and a rich set of inbound and outbound network control capabilities. (www.sonicwall.com)

Nearly 40 percent of large organizations don’t monitor databases for suspicious activity

Application Security announced the results of a Ponemon Institute survey underscoring the serious challenges organizations face in securing sensi- tive data. With more than 150 million data records exposed in the past two years, the survey also highlights an organizational disconnect between the realization of the threat and the urgency in addressing it. Forty percent said their organiza- tions don’t monitor their databases for suspicious activity, or don’t know if such monitoring occurs. Notably, more than half of these organizations have 500 or more databases – and the number of databases is growing. (www.appsecinc.com)

New Digital Signature Services OASIS Standard

The members of the the international standards consortium OASIS have approved Digital Signature Services (DSS) version 1.0 as an OASIS Standard, a status that signifies the highest level of ratifica- tion. DSS defines an XML interface to process digital signatures for Web services and other applications, enabling the sharing of digital signature creation, verification and other associated services, without complex client software and configuration. DSS describes two XML-based request/response protocols, one for signatures and a second for verification. Using these protocols, a client can send documents to a server and re- ceive back a signature on the documents; or send documents and a signature to a server and re- ceive back an answer on whether the signature verifies the documents. (www.oasis-open.org) www.insecuremag.com 6 GFI releases software suite for PCI DSS compliance

GFI Software announced the release of the GFI PCI Suite, a package aimed at helping companies meet the strict requirements and tight dead- lines imposed by the Payment Card Industry Data Security Standards (PCI DSS) and comply with the majority of automated processes required for compliance. The GFI PCI Suite provides a centralized management console through which systems administrators can deploy the PCI DSS enhanced versions of GFI EventsManager and GFI LANguard N.S.S. – two solutions that are vital to network security and essential to meet the directives imposed by PCI DSS. GFI EventsManager boosts PCI DSS com- pliancy efforts by alerting administrators on key events occurring on the network while GFI LAN- guard N.S.S. allows IT professionals to proactively identify network security weaknesses and fix them before these are exploited. (www.gfi.com)

New Symantec Foundation IT Risk Assessment service

Symantec announced Symantec Foundation IT Risk As- sessment, a comprehensive consulting service designed to provide customers with an overview of their current IT risk exposure and guidance on remediation. The service helps customers take the first step toward a comprehensive IT Risk Management program. The service identifies, catego- rizes and prioritizes current IT risks so investments can be made in projects that manage IT risk, cost, and performance for maximum business returns. (www.symantec.com)

One-time passcodes on mobile devices with SafeWord MobilePass

Secure Computing released SafeWord MobilePass, a new software authenticator that allows a user access to Virtual Private Networks (VPN), Citrix, Outlook and a number of other applications through one-time pass- codes generated on their personal mobile device or laptop PC. Mobile- Pass provides convenience as well as enhanced security through proven, two-factor authentication, establishing proof-positive identity for all users accessing trusted corporate and consumer applications. Additionally, SafeWord MobilePass helps to increase productivity at a low total cost of ownership. (www.securecomputing.com)

New software programmer exams for application security certification

The SANS Institute launched the first GIAC Secure Software Programmer (GSSP) exams. The inaugural exams covering C and Java/Java EE will be held August 14, 2007, in Washington, D.C. “The lack of trustworthy standards and certifications has been a challenge for software buyers and software de- velopers,” said Hartmut Raffler, head of Technology Division Information and Communication at Siemens Corporate Technology. “Secure programming skills are essential for building software that can be trusted. SANS’ willingness to offer this exam as part of a compre- hensive secure coding improvement strategy is exciting and will help both buyers and sellers of software.” (www.sans.org) www.insecuremag.com 7 If you have been reading through (IN)SECURE Magazine or its sister web site Help Net Security, you have seen that endpoint security is one of the hottest information security topics. With all the new portable devices, ranging from 2 GB USB key chains, to U3 sticks or even the new Apple media darling iPhone, organizations are seeing more and more potential problems surrounding them.

You cannot strip search your employees for any eligible portable device, but you can enforce strict company policies with a tool like DeviceWall (www.devicewall.com). This application gives you an opportunity to centrally manage and control the usage of any kind of portable media on computers located on your network.

Installation computer a MSDE instance that will act as an SQL server. As you probably figured out, the The DeviceWall installation process is a typi- SQL server will be used for centralized log- cal one. After setting up your registration de- ging of events. If in the past you used some of tails, you have the opportunity of choosing the crypto products such as OpenSSL or one of two setup options. The application PGP, the final act of the installation will be a needs an SQL installation, so if you don't familiar one - you will need to dynamically have one active yet, just choose the "Typical" move the pointer of your mouse to generate a type of setup. This way, after DeviceWall is random key later used by the software. installed, the setup wizard will place on your www.insecuremag.com 8 The DeviceWall control center interface

During the installation of the product on my Release.txt which came in the installation computer running Windows Vista, I came package. A warning message was about the across a warning message related to the file msxml2.dll, which was missing but was MSDE SQL runtime. While at first I thought available as a Hot-fix from the Microsoft that this is some kind of a bug, DeviceWall Knowledge Base Article 823490. promptly gave a message to consult with the

Customizing device access configuration www.insecuremag.com 9 The link to the article is available in the men- Usage and functionality tioned text file and the good thing is that the installation doesn't fail because of this. A couple of minutes after I started the installa- tion, the setup was finalized and I must say You will just need to install a Hot-fix before that I found the graphical user interface very any device connection data can be success- appealing. The application window is easy to fully added to the Audit Log Database. apprehend and has a bit larger toolbar but- tons than I usually stumble upon.

Setting up a default policy

DeviceWall works on the client/server way. for a larger network such as the one I tested You install the application control center on at work. the main computer and easily deploy clients all over the network. DeviceWall’s inner workings are based on a policy which can be setup on different ways. Naturally, you don't need to manually go to While installing the application you have an every single computer (although strangely option to setup the default policy, but it is rec- enough, not all companies switched from this ommended than you do it directly from the "old school" way of doing things), as Device- application after the install. Wall offers some typical remote installation possibilities. DeviceWall doesn't log just the policy viola- tions, so for the companies that don't have an In search for client computers, the administra- already defined security policy related to port- tor can browse a domain or Active Directory, able devices, there is a neat way of setting up import a list file, enter a computer name, but I an "all open" policy to monitor your network. found the "specify IP range" the best option

www.insecuremag.com 10 Customizing the policy

This way, in a week or so, you could see what devices, and therefore can react to the actual actually happens with your users and their happenings in your network.

Updating policy on a test computer through the control center

www.insecuremag.com 11 The default policy provides you three different time to get into business and start Device- setups - deny all, allow all or to create a cus- Wall's monitoring of your users. Each of these tom one. classes are divided into specific group of de- vices, so you can easily setup a custom allow/ The good thing is that the software comes deny rules for each of them. Of course, you with a list of grouped classes, such as storage can also set permissions based on users and and imaging devices, portable devices, com- groups. munication ports etc, so you won't need much

Creating custom client settings

While setting up the client you can describe the custom policy. Let's say that your com- the alert the user will get after trying some- pany has a standard equipment given to all thing that is forbidden, as well as create a the employees, such as a typical USB mem- time interval in which the client will automati- ory stick or a specific PDA device needed for cally contact the server for possibly updated the everyday work experience. For instance if policy. You can do this manually from the you would block all USB storage devices, the command center, but it is of course much bet- one needed by the user would also get in the ter and flexible to do it automatically. As you "black zone". would expect, the end users won't have any possibility of changing, editing or removing DeviceWall offers administrators the possibil- the client portion of DeviceWall on their com- ity to define and setup a specific device that puters. can be identified as "safe" and therefore can be used even if the company policy denies One of the things I really liked was a piece of the same type of hardware. functionality that comes around while setting

www.insecuremag.com 12 Error and alert after starting a "forbidden" device

Besides the few nice additional tools I will rate portion of the product which offers differ- mention afterwards, the last part of this soft- ent types of graphical reports, which you can ware’s functionality is related to auditing the redraw based on time frames, device classes, logs generated by the device usage through- as well as different graphical presentation op- out the network computers. There is a sepa- tions.

Alert that DeviceWall is present on the client computer

If you’re running your control center on a I found a quick workaround for this. Just go to computer with a screen resolution lower than your system settings and switch to a resolu- 1024x768, the application will give you an er- tion needed by the application. Your display ror saying it needs at least 1024x768 to draw will look shoddy, but just use this new resolu- graphs. tion until you click the Audit Log Graphical Display icon. I know that chances of installing this kind of a management platform on a system with a As soon as the Audit Log opens, switch back resolution such as 800x600 are slim, but this to your old resolution and the log presentation can also appear on some widescreen note- option will work just fine. books.

www.insecuremag.com 13 Options you can chose while drawing reports

The specific events can also be presented can be installed to client computers to dy- through the DeviceWall main interface, where namically check out all the events logged from a user can browse through per device or per this location. This allows you to check a spe- user access details such as files and loca- cific (potentially problematic) computer with- tions, as well as check out a file access sum- out accessing the control center on the main mary with all the top file extensions. For ex- server. ample, the Dynamic Activity Monitor applet

Using Temporary Access Wizard www.insecuremag.com 14 The Temporary Access Tool is another inter- needed, a 16-digit key can be dispatched to esting addition through which an administrator the user that can be used for unlocking some can temporarily give users access to specific of the resources. devices. The time frame can be specified, or if

I will conclude this article on DeviceWall by portant tool, that offers users possibility to en- mentioning a nice, but effectively not so im- crypt data on recognized USB disks.

Final thoughts analyzing options and strong policy enforce- ment and alerting actions. Bottom line - it DeviceWall is really an excellent application. works flawlessly and will definitely be an ex- In a nice looking GUI, it sports quality policy tensive endpoint security mechanism for your deployment methods, powerful event logging/ network.

Mark Woodstone is a security consultant that works for a large Internet Presence Provider (IPP) that serves about 4000 clients from 30 countries worldwide. www.insecuremag.com 15 I started with a basic solution for remote access to the network in my previ- ous article published in (IN)SECURE volume 11. The solution was based on certificates and used two-factor authentication in its simplest mode – some- thing you know (certificate pass-phrase) and something you have (a certifi- cate).

However there was one big issue with the solution – manageability and scal- ability. We cannot really expect that an administrator, either security or net- work one, is going to manually generate certificates and then install them into hundreds or thousands of computers. That is why the solution was not really ready for enterprises with large number of computers and users. That is why we need to look for enterprise grade solutions and this article is going to show some of them, putting emphasis on authentication and authorization.

When choosing a solution for remote access, end point security, level of encryption, reset- these questions should be answered: ting access, if a password is forgotten, etc.

• what is an acceptable level of security Number of users will define the integration • how many users will be enrolled for the serv- necessary with enterprise identity and access ice in total and using in peak times management system, scaling of the remote • what applications need to be accessed by access platform and necessary bandwidth to remote users. serve users in peak times.

The level of security is rather general term Application will define the type of the remote and should include authentication and access system, such as full IP or SSL based authorization of users, access control, logging systems. I will focus, obviously on security and monitoring of security events, enforcing aspects covering different types of remote ac- cess systems. www.insecuremag.com 16 Authentication and authorization • DNA – the most accurate form of identifica- tion, the speed and collection of material This is by far the first question anyone asks might be an issue about the remote access system. We all hear • palm veins – reading blood veins in your about dual factor authentication, so what is it palm; hygienic and spots a chopped palm. and, most importantly, do we actually need the dual factor authentication? And the an- Each of these biometric attributes has it own swer is...YES pros and cons, user acceptance, cross-over error rate, speed and the size of the template. • it is more secure and • it is possibly a regulatory requirement for Interestingly enough, some say that dual fac- your company! It is more secure by requiring tor is always more secure than single factor users to present more than one piece of evi- authentication. Please, allow me to disagree. I dence to prove identity. think that properly implemented biometrics (someone you are) is more secure than the There are three factors of authentication: combination of know and have methods. Why? Try to authenticate on a palm vein • knowledge (something you know) – the reader using a chopped (dead) palm. No luck! most common and probably the most in- Remember that the primary objective of secure method of all three. Knowledge can be authentication is to establish the identity, i.e. easily transferred (would you not tell the verify it is me who is logging to the system, password under the life threat?). Passwords not someone who stole my password and and pass-phrases are typical examples and RSA token/mobile phone. What do you think? users have proven track of not selecting passwords strong enough. This can lead to However, the most common combination of dictionary or brute force attacks. authentication methods is “something you • possession (something you have) – you know” and “something you have”. The reason must have something to authenticate. This is that they are, to date, the easiest ones to can be something like a certificate, a mobile implement. You simply give something to us- phone (or better a SIM card), a RAS token, a ers and let them to set the passwords/PIN/ smart card, etc. On its own, this is almost as passphrase and that's it! Maybe this will (in)secure as the first one, purely because it change when biometric methods become can be easily transferred and lost. Although it more available, easier to use and accepted by provides better protection against brute force us, humans. and dictionary attacks. • being (someone you are) – the best method Now, let's see the regulatory side. The most of all that uses your body (or parts of) to prove recent standard to mandate dual factor your identity to the system. authentication for remote access to the net- work is the Payment Card Industry Data Se- Several parts of body can be used like: curity Standard (PCI DSS). This standard ap- plies to all companies that accept credit cards • iris – reading iris pattern, little more ac- and explicitly talks about how to authenticate cepted than retina scan remote users. The next close match is • retina – some people might see this as little ISO27002 (previously ISO17999:2005) that too intrusive loosely mentions HW tokens for authentica- • palm – scans characteristics of the palm, tion. there are some hygiene issues • finger – old good finger print You company policy most likely mandates • typing cadence – apparently everyone has dual factor authentication as well. its own unique typing cadence. (well I am not sure, after couple pints of beer...) Integration • voice – tricky one as your voice may sound different sometimes, also useless for disabled Another important requirement for a remote people access system is how it integrates with exist- ing IT infrastructure and database of www.insecuremag.com 17 corporate users. Most organizations use Mi- If your organization already has Active direc- crosoft Active directory. tory, or any other LDAP based user database, it makes business sense linking the remote LDAP and Kerberos based authentication and access system to it. Obvious benefits are: authorization service capable of scaling into • up-to-date user database user creation, dis- hundreds of thousands users with distributed abling and deletion take effect immediately. database. Obviously these systems can also SOX auditors would call this “in timely man- authorize users, i.e. is the user allowed to use ner”. RAS service at this time? • user have just one set of credentials, i.e less chance they would write passwords on a piece of paper.

PCI DSS 8.3 Implement two-factor authentication for remote access to the network by em- ployees, administrators, and third parties. Use technologies such as remote authen- tication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens or VPN (based on SSL/TLS or IPSEC) with individual certificates.

ISO 27002 11.4.2 User authentication for external connections

Control Appropriate authentication methods should be used to control access by remote users.

Implementation guidance Authentication of remote users can be achieved using, for example, a cryptographic based technique, hardware tokens, or a challenge/response protocol. Possible im- plementations of such techniques can be found in various virtual private network (VPN) solutions. Dedicated private lines can also be used to provide assurance of the source of connections.

Logging and monitoring user is using the company laptop to access the network, no chance. Perhaps, this should The operational part is sometimes over- force you to purchase the end-point security looked but it is important to get it right. It is add-on. easy to install a system and forget about it, virtually creating a channel into the enterprise End-point security network. Such system should send logs off to a remote logging This is currently the buzz-word. If you network server where it is important to setup a moni- and remote access systems do not provide toring and escalation system. This can be endpoint security, you have a problem. simple syslog based server with watchlog or alternatively an enterprise grade logging and Do you know what is connected to your net- monitoring system. work? You might know if you have 802.1x and using non-exportable certificates. But do you Is it important to watch logs 24/7 for possible know what is the level of compliance with your incidents? I think so. Also, it is important to log policies, patch levels and antivirus updates? If appropriate level of detail. Cisco VPN GW, for you do, you must have such system imple- example, does log username, time, IP ad- mented. RAS is logically extension of the local dress of the remote client, version of the area network and as such must have the Cisco VPN client. However, it does not log the same level of protection. Watch out for sys- hostname and the operating system of the cli- tems from Microsoft, Cisco, Symantec and ent computer. So if you want to check that the others. www.insecuremag.com 18 Level of encryption numbers of users at one time. When configur- ing VNP gateways always aim for the most This used to be the most discussed topic of all secure configuration that would be accepted times in network security, don't you think? But by all clients. Fortunately, all enterprise com- with the arrival of public encryption algorithms puters should be configured the same way and export restrictions lifted, it is easy to im- and eliminating incompatibilities. Following plement very strong encryption system. The combinations of symmetric encryption and most common is AES with various bit sizes. hash functions provide enterprise level of The encryption algorithm will determine the security: hardware requirements and the maximum

Encryption Key size (b) Hash Hash size (b)

AES-256 256 SHA-2 224, 256, 384, 512

AES-192 192 SHA-1 160

AES-128 128

It is important to set the encryption key to pro- 2. IP tunnel VPNs – full IP access to applica- vide adequate security without affecting per- tions needed. formance. For example AES-256 is approx. 25% slower than AES-128 but provides dou- Let's go over them in little more detail. ble assurance (subject to random key mate- rial). SSL VPN - This type of remote access is on rise as more applications are web enabled. Resetting access Effectively SSL VPN act as reverse proxies with SSL off-load. My small example of pro- This is very interesting topic and each authen- viding access to company Intranet was simple tication technology uses different technique. SSL VPN. The basic question is “How do I know you are, you are saying you are, over the phone?” This Some of possible solutions: is the case if someone looses the password/ token and needs to connect to urgently finish • Apache reverse proxy – discussed in my the work. previous (IN)SECURE article • MS ISA server I would suggest this is the area where great • Cisco VPN GW. considerations and testing should be done. Remember that service desk, usually dealing End point security can be assured using spe- with these request, have one task and one cial Java applets which user's computer must task only: the service for the user does not run in order to get through the VPN box. Such work and needs to be restored promptly. That Java applet can run the code on the local is why so many social engineering attacks computer and send results to the VPN gate- use service desks. way and policy server for verification.

Types of remote access The advantage of SSL VPN systems is that it does not open IP tunnel to the network and The applications needed will determine the can only reverse proxy Web based applica- type of remote access system. There are two tions or some special applications using Java major type to look at: applet. This limits potential attack surface to minimum. Obviously SSL VPNs receive rather 1. SSL VPNs – Web based access to applica- increasing attention and are favorite means of tions. remote access, if the application allows it. www.insecuremag.com 19 Users can also connect from anywhere on the The best practice is to enable “default route Internet with just the https port open and even mode” where all traffic is routed to the IPSec behind a proxy server. tunnel, effectively disconnecting computer from the internet. The computer retains spe- One obvious disadvantage is that the client cific routing to IPSec VPN GW though. computer is connected to the Internet and company network at the same time. This is a In both solutions there should always be fire- threat to be included in the risk assessment. wall between VPN GW and the internal net- However, properly configured client personal work to limit what systems users have access firewall should minimize such risk. to. The reason is, without the firewall once the user is connected to VPN GW, it has unlimited IPSec VPN - Old good IPSec. If you need to access to the network (subject to routing and give users full access to the network. IPSec in internal segregation). It is good practice to ESP/tunnel mode is used. This mode can limit access to internal systems with classifi- traverse NAT. End point security is achieved cation INTERNAL, like Intranet site, email with special software running on the client systems, proxy server for internet access, file which communicates with VPN GW and Ra- server with non sensitive data. dius server in the back end. Both Cisco and Microsoft have their versions of Network Ac- Obviously the level of access the users get cess Control systems. For obvious reasons should correlate the classification of data and IPSec VPNs do not work easily through the the used authentication technique. firewall and proxy server.

Virtually everyone has a mobile phone (or two). Banks use it to deliver authentication text messages so why not use it for remote access.

Examples of interesting authentication login attempt (successful or not) or in the systems for remote access regular intervals and send it to pre-configured mobile phone number within the user's profile. These are definitely the most widely used I personally use it and I like it over SecureID: authentication systems for remote access. a) I do not need yet another device to carry Please note that these can be used for all with me all the time and types of the remote access systems de- b) I take care of my mobile phone, more than scribed above. the RAS token. If the phone is lost I get the new SIM card with the same number, making SecureID - I believe is by far the most widely the original one useless. used solution for remote access authentica- tion. It is based on the time synchronization The SMS message delivers the “something between a token with display and back-end you have” part but where is “something you RSA server. The number changes every min- know”? Well it turns out that the system can ute and provides “something you have”. The use your Active Directory password instead of user is required to combine this number with PIN. I like this more than PIN as I can control PIN (something you know) on login. The prob- password policies for users, unlike PIN. See lem with this system us that the PIN is usually references section for more details. 4 numbers, it is difficult to change and the its randomness is questionable. Certificate - I have covered the certificate us- age in the previous article. Obviously for en- Text message - Virtually everyone has a mo- terprise use it is important to make sure cer- bile phone (or two). Banks use it to deliver tificates can be enrolled and distributed auto- authentication text messages so why not use matically and must be locked down to the it for remote access. The idea is rather simple: computer or the user. The certificates provide replace SecureID token with the phone. The “something you have”. The other part is usu- system can generate new number on every ally the user's password. www.insecuremag.com 20 Office link (T-Mobile UK product name) - Lit- Conclusion tle exception among the others in the list. This is the name of the service provided by T- The way we access applications inside the Mobile UK. A company, a client of T-mobile, is networks is fascinating subject. The bounda- provided with a special virtual VPN network. ries between inside and outside gradually di- Then it can give its workforce SIM cards pro- minish and we, as security professionals, face visioned for the service which makes sure that the new security threats. Having properly de- only these SIM cards are allowed to be a part signed, secured and maintained remote ac- of the Virtual VPN for the company. Second cess system is the key for the business to factor authentication is implemented by re- compete in fast moving world. It is no longer quiring username and password when logging possible to fire an excuse “I am traveling, will in. The secure link between the company and login to my email and send it to you next week T-Mobile is established by using an IPSec when I am back from my business trip.” There tunnel. will be no-one to send it to then!

This system is rather unique as it “outsources” Let's design solutions that fit the purpose and remote access to a telecommunication com- help our businesses stay on a competitive pany and an enterprise does not have to pro- edge. cure remote access hardware and software and operate it.

Vladimir Jirasek is an experienced security professional currently working as the Head of System Security at T-Mobile UK. Recently migrated to Apple's Mac OS X operating system and is loving it. He holds CISSP- ISSAP, CISM and MCSE certifications and is the member of the ISSA UK chaper. He can be reached at [email protected] and www.vjirasek.eu.

www.insecuremag.com 21 Security Metrics: Replacing Fear, Uncertainty, and Doubt By Andrew Jaquith Addison-Wesley Professional, ISBN: 0321349989

Security Metrics is the first comprehensive best-practice guide to defining, creating, and utilizing security metrics in the enterprise. Using sample charts, graphics, case studies, and war stories, Yankee Group Security Expert Andrew Jaquith demonstrates exactly how to establish effective metrics based on your organization’s unique requirements. You’ll discover how to quantify hard-to-measure security activities, compile and analyze all relevant data, identify strengths and weaknesses, set cost-effective priorities for improvement, and craft compelling messages for senior management.

Security Monitoring with Cisco Security MARS By Gary Halleen and Greg Kellogg Cisco Press, ISBN: 1587052709

Cisco Security Monitoring, Analysis, and Response System (MARS) is a next- generation Security Threat Mitigation system. Cisco Security MARS receives raw network and security data and performs correlation and investigation of host and network information to provide you with actionable intelligence. Security Monitoring with Cisco Security MARS helps you plan a MARS deployment and learn the installation and administration tasks you can expect to face. Additionally, this book teaches you how to use the advanced features of the product, such as the custom parser, Network Admission Control (NAC), and global controller operations.

www.insecuremag.com 22 VPNs Illustrated: Tunnels, VPNs, and IPsec By Jon C. Snader Addison-Wesley Professional, ISBN: 032124544X

By explaining how VPNs actually work, networking expert Jon Snader shows software engineers and network administrators how to use tunneling, authentication, and encryption to create safe, effective VPNs for any environment. Using an example-driven approach, VPNs Illustrated explores how tunnels and VPNs function by observing their behavior “on the wire.” By learning to read and interpret various network traces, such as those produced by tcpdump, readers will be able to better understand and troubleshoot VPN and network behavior.

CCNP ONT Official Exam Certification Guide By Amir Ranjbar Cisco Press, ISBN: 1587201763

CCNP ONT Official Exam Certification Guide follows a logical organization of the CCNP ONT exam objectives. Material is presented in a concise manner, focusing on increasing your retention and recall of exam topics.

You can organize your exam preparation through the use of the consistent features in these chapters. “Do I Know This Already?” quizzes open each chapter and allow you to decide how much time you need to spend on each section.

CCDA Official Exam Certification Guide, Third Edition By Anthony Bruno and Steve Jordan Cisco Press, ISBN: 1587201771

CDA Official Exam Certification Guide, Third Edition, is a best-of-breed Cisco exam study guide that focuses specifically on the topics for the DESGN exam.

CCDA Official Exam Certification Guide presents you with an organized test preparation routine through the use of proven series elements and techniques. Exam topic lists and concise Foundation Summary information make referencing easy and give you a quick refresher whenever you need it.

CCNP ISCW Official Exam Certification Guide By Brian Morgan and Neil Lovering Cisco Press, ISBN: 158720150X

CCNP ISCW Official Exam Certification Guide is Cisco exam study guide that focuses specifically on the objectives for the Implementing Secure Converged Wide Area Networks exam (642-825 ISCW).

CNP ISCW Official Exam Certification Guide follows a logical organization of the CCNP ISCW exam objectives. Material is presented in a concise manner, focusing on increasing your retention and recall of exam topics. You can organize your exam preparation through the use of the consistent features in these chapters. www.insecuremag.com 23

When people familiar with the Payment Card Industry Data Security Standard (PCI DSS) hear "logging" in conjunction with "PCI compliance," they natu- rally think of Requirement 10, entitled "Track and monitor all access to network resources and cardholder data." And it's true, Requirement 10 is quite explicit about the specific actions that must be logged, the details that must be tracked, and the length of time and manner in which logging data must be stored and retained. Similarly, when people discuss PCI compliance, there is an overemphasis and fixation on the yearly audit and submission of the Report on Compliance (ROC).

While the annual audit and ROC submission associated with the regulations that influence is an important requirement for many organi- and apply to your organization. In this vein, it zations subject to the PCI DSS, as the field of is also useful to consider additional ways that general compliance management matures PCI-related log management can be lever- and we learn more about how to successfully aged to regularly validate and evaluate operate compliance programs, it has become compliance-related controls and processes. apparent that a different manner of approach- ing compliance is required. Instead of scram- This article will explore some of the ways that bling to fill in checklists on a gap analysis and log management can bring efficiencies to PCI mounting a Herculean yearly effort to estab- compliance and how organizations can use lish, prove, and document compliance, it is log management to transform their overall more effective to regularly and consistently compliance strategy from reactive to proac- monitor and evaluate the controls, processes tive. and compliance key performance indicators www.insecuremag.com 25 Operationalizing Compliance Organizational Alignment for Successful Compliance Management First, let’s review some definitions and back- ground. Generally speaking, operationalizing Creating a model that facilitates the efficient, compliance refers to moving away from a bi-directional distribution of information on purely audit-focused perspective on compli- compliance-related activities; including gap ance toward a more long-term, everyday, in- analysis, remediation plans, control imple- tegrated and process-driven approach to mentation, and status reports is the goal of compliance management. For PCI, this compliance-specific organizational alignment. means obsessing less about the audit and People with responsibility for compliance (no ROC and instead focusing more attention on matter how small) must understand their obli- making the controls and processes required gations and how to work toward achieving by the PCI DSS a core part of everyday IT ongoing compliance. and business operations. A PCI-specific example can be illustrated Pragmatically, this involves a number of is- around requirement 12.7, which calls for em- sues: ployee screening (i.e. background checks) for personnel with access to cardholder data. Comprehensive Understanding of Compli- With effective organizational alignment, the ance Responsibilities HR business unit will be fully aware of this re- quirement, how to bridge any gaps if the cur- One of the ideals of general compliance man- rent screening process is insufficient, and the agement and operationalizing compliance is timelines and documentation required to the development and implementation of a sin- demonstrate and maintain compliance. gle set of policies, processes, and controls that will ensure compliance with all relevant Continuous and Automated Validation of requirements. Thus to begin in the quest for Controls and Processes this ideal, the organization must be aware of and fully understand the entire scope of its To ensure effectiveness, it is important to be relevant compliance responsibilities. able to efficiently evaluate and validate the compliance-related controls that have been This includes internal and external compli- implemented. This concept is at the core of ance influences, such as: operationalizing PCI compliance– it is how the best practices espoused by the Data Security • Industry mandates, including PCI. Standard are embodied, implemented, and • Legal regulations such as SOX (Sarbanes- evaluated in daily practice. Oxley). • Governmental regulations such as California For example, PCI requirement 2.3 mandates Senate Bill 1386 and FISMA (Federal Infor- the use of encrypted protocols and applica- mation Security Management Act). tions to administer systems over the network. • Regulations enforced by business partners A reasonable control to implement this re- (e.g. supply chain compliance requirements). quirement would be the use of SSH to re- • Internal organizational requirements such as motely administer systems. Thus, this control security policies, standards, and procedures. would be specified in system configuration and administration standards (PCI require- Once the scope of compliance requirements ment 2.2), and the installation of appropriate has been documented, approved, and inter- software would be included as a part of stan- nalized organizationally, integrating compli- dard system builds. Of course, once systems ance into everyday operations can move for- are built and deployed, the controls must be ward. Without this step, though, there is a validated to ensure continuous compliance. danger of overlooking or misunderstanding compliance requirements, which can easily To validate this control, logs can be examined lead to implementing processes, policies, and to detect the use of unencrypted and insecure controls that fail to address compliance protocols (e.g. Telnet, r-services) to administer needs. in-scope systems. www.insecuremag.com 26 If your firewall logs show clear text protocols • Ensure continuous compliance. being used to access systems or your system • Demonstrate control effectiveness. logs show logins via Telnet, this control has • Identify gaps in control coverage. been subverted or has otherwise failed. Log • Fine-tune controls, operating procedures, management can automate the validation of and workflows. this control in a fairly straightforward manner; • Facilitate audit-related data gathering and for example, a weekly report could be sched- analysis. uled and executed to detail events that violate this control, and follow up and remediation To provide a better illustration of how this can be planned as a result. ideal is put into practice, this section offers an introduction to some of the specific PCI re- Thus, to fulfill this general goal of continuous quirements and associated controls that can and automated process and control validation, be validated through log management. A brief each implemented control will ideally have a overview of each of the major PCI require- clear and straightforward means by which ments is provided, and accompanying tables both scheduled and ad hoc validation can be are used to enumerate the particular controls performed. and processes related to each requirement and sample log messages that can be used to Using Log Management to Validate Com- validate, evaluate, and demonstrate control pliance Controls effectiveness.

A real benefit associated with the use of log Build and Maintain a Secure Network (Re- management for control validation is that no quirements 1 and 2) specific control instrumentation is required. The use (and misuse) of controls creates log Requirement 1 describes the network traffic messages that serve as permanent artifacts that is generally permitted in the PCI envi- and evidence of the controls’ efficacy. ronment, and the policies and network-based access controls that must be in place to re- By implementing log management to collect, strict traffic appropriately. Traffic must be lim- store, analyze, and present this evidence, or- ited to necessary data flows (1.1.5), and spe- ganizations are equipped with the data that cific controls are required for DMZ and inter- allows them to: nal systems (1.3 and 1.4).

PCI Requirement Related Controls and Processes Relevant Log Messages

1.1.1 – Testing and approval • External connection policy • Firewall policy and configuration of external network connec- • Change management process changes tions and firewall changes • Firewall and network • Router configuration changes management policies • Firewall and router reboots

1.1.5-1.1.7, 1.2 – 1.4 – • Authorized data flows and applica- • Accepted firewall connections Documentation and justifica- tions in the payment card environ- • Denied firewall connections tion of ports and protocols ment used in the PCI environment; • Network traffic whitelists/blacklists Control and restrict specific (i.e. explicitly allowed or denied serv- traffic flows within the PCI ices) environment

Requirement 2 outlines the configuration systems (2.1 and 2.2), and encrypted applica- standards required for systems deployed in tions and protocols are required for systems the payment card environment. Specific secu- administration (2.3). rity configuration settings are mandated for www.insecuremag.com 27 PCI Requirement Related Controls and Processes Relevant Log Messages

2.2.2 – Disable unnecessary • System configuration and installa- • Telnet, FTP, and r-service login and insecure services tion standards messages • System administration standards • Firewall and router ACL accept 2.3 – Encrypt administrative • Application whitelists/blacklists (i.e. messages for insecure or unen- access to PCI systems explicitly allowed or denied services) crypted services

Protect Cardholder Data (Requirements 3 required for business purposes (3.1), authen- and 4) tication data cannot be stored after card authorization (3.2) and the Primary Account Requirement 3 spells out the specifics on how Number must be appropriately protected dur- cardholder data can be stored. This data ing storage (3.4). should be maintained for the minimum time

PCI Requirement Related Controls and Processes Relevant Log Messages

3.4 – Render PAN (Primary • Data storage standards • Transaction and application logs Account Number) unread- • Data classification policy containing unencrypted card num- able when stored • Confidential data processing and bers access policy

3.5.1 – Restrict access to • Key management standards and • File and object access records for encryption keys procedures encryption keys

Requirement 4 mandates the use of appropri- transmitting cardholder data over wireless and ate controls (e.g. TLS or SSL, WPA2) when public networks.

PCI Requirement Related Controls and Processes Relevant Log Messages

4.1 – Use strong cryptogra- • Data access, transmission, and dis- • Firewall and router ACL accept phy when transmitting card- tribution policies and standards messages for insecure or unen- holder data over open, public • Application development and man- crypted services networks agement policies

Maintain a Vulnerability Management Requirement 5 describes the anti-virus con- Program (Requirements 5 and 6) trols that must be implemented on payment card systems, and includes requirements for deployment (5.1) and configuration (5.2).

PCI Requirement Related Controls and Processes Relevant Log Messages

5.1 – Deploy anti-virus soft- • Anti-malware infrastructure • Anti-virus application installation ware • System protection policies messages • Desktop and server configuration • Virus detected, cleaned, quaran- 5.2 – Ensure anti-virus standards tined mechanisms are current, ac- • Patch and software installation • Virus signature file installed or up- tive, and capable of generat- policies and processes dated ing logs www.insecuremag.com 28 Requirement 6 enumerates the change man- software development (6.3 and 6.5) and the agement and systems development controls required parameters for patch and update that must be implemented to ensure compli- management (6.1) and change control (6.4). ance. This requirement outlines standards for

PCI Requirement Related Controls and Processes Relevant Log Messages

6.1 – Ensure systems are • Patch and software installation • Patch installed patched with the latest ven- policies and processes • Software updated dor security updates • Incident response policy and proc- ess

6.4 – Follow change control • Change management process • System reboots procedures for all configura- • Enforcement of maintenance win- • Patch installed tion changes dows • Software updated

Implement Strong Access Control and states that access must be controlled Measures (Requirements 7, 8, and 9) based on job function (7.1) and be configured in a default deny manner. Requirement 7 describes the access control restrictions needed for payment card systems,

PCI Requirement Related Controls and Processes Relevant Log Messages

7.1 – Limit access to sys- • Account management process and • User account modifications tems and information based policy • User group modifications on job requirements • Access control policy • Database access (CRUD – Create, • Role-based access controls Read, Update, Delete audit records) 7.2 – Establish a system to • File access records restrict user access based • Login messages on need-to-know and default deny

Requirement 8 sets forth the manner in which Authentication requirements are specified (8.2 organizations must implement unique identifi- and 8.3), and password standards are pro- ers for users of payment card systems to en- vided (8.4 and 8.5). sure auditability and traceability of events.

PCI Requirement Related Controls and Processes Relevant Log Messages

8.1, 8.5.8 - Identify all users • User provisioning process • User logins (system, application, with a unique ID before al- • Separation of duties database) lowing access; do not use • Systems administration process • Shared user logins (e.g. root, ad- group, shared, or generic and policy ministrator, application and service accounts accounts) • Accounts created

8.3 – Implement two-factor • Remote access policy • VPN logins authentication for remote ac- cess www.insecuremag.com 29 PCI Requirement Related Controls and Processes Relevant Log Messages

8.5.1 – Control addition, de- • User provisioning process • Accounts created, deleted, modified letion, and modification of • Account maintenance procedures • Groups created, deleted, modified user IDs and other identifiers

8.5.4 – Immediately revoke • Deprovisioning policy and proce- • User deleted access for any terminated dures • User disabled users • Employee termination policy

8.5.6 – Enable accounts for • Vendor remote access policy • User logins (vendor user accounts) vendor remote access only • Enforcement of maintenance win- • VPN logins when required dows • Change management process

8.5.13 – Lockout user ac- • User account management policy • Failed logins counts after six failed login • Account lockouts attempts

8.5.16 – Authenticate all ac- • Data access policy • Database logins cess to any database con- • Access control policy taining cardholder data

Physical security controls for payment card controls (9.1 through 9.4) and media (e.g. environments are described in Requirement tapes, disks, paper) security, distribution and 9. This includes physical access and visitor destruction (9.5 through 9.10).

PCI Requirement Related Controls and Processes Relevant Log Messages

9.1 – Use facility entry con- • Physical security controls • Badge reader activity (e.g. entries, trols to limit and monitor • Facility access policy failures) physical access

Regularly Monitor and Test Networks (Re- • Time synchronization (to support the integ- quirements 10 and 11) rity and usability of logs) (10.4) • Centralization and protection of logs (10.5) Requirement 10 describes the foundational • Log review and analysis (10.6) requirements for audit trails and log manage- • Log retention (10.7) ment within PCI environments. As such, every sub-requirement in this section is related di- Requirement 11 enumerates the testing and rectly to the collection, storage, protection, monitoring controls that must be implemented integrity and/or retention of logs. for payment card environments.

This requires covers the core functions of log This includes regular control assessment, management, including: vulnerability assessments and penetration testing (11.1 through 11.3) and the use of IDS/ • Enabling and configuring logging (10.1 and IPS and file integrity monitoring software (11.4 10.2) and 11.5). • Details required for audit trail events (10.3)

www.insecuremag.com 30 PCI Requirement Related Controls and Processes Relevant Log Messages

11.4 – Use IDS (Intrusion • Network monitoring policy • IDS/IPS alerts Detection Systems) and IPS • Incident response program and • IDS/IPS signature updates (Intrusion Prevention Sys- procedures tems) to monitor traffic and • Patch and software installation alert personnel policies and processes

11.5 – Deploy file integrity • System monitoring processes • FIMS alerts monitoring systems (FIMS) • Change management process to alert personnel to unau- • Incident response program and thorized modifications procedures

Maintain an Information Security Policy compliance, including operational procedures (Requirement 12) (12.2), usage policy (12.3), and incident re- sponse (12.9). Requirement 12 specifies the information se- curity policies and procedures needed for PCI

PCI Requirement Related Controls and Processes Relevant Log Messages

12.2 – Develop daily opera- • System monitoring processes • Logins to security systems (to vali- tional security procedures • Incident response program and date daily use and monitoring of con- consistent with PCI require- procedures trols) ments • Security standard operating proce- • Log review messages (to validate dures regular review of logs) 12.9, 12.95 – Implement an incident response plan – in- • IDS/IPS/FIMS alerts clude alerts from intrusion detection, intrusion preven- tion, and file integrity moni- toring systems

Conclusion for continuous compliance and control valida- tion. As organizations become more familiar with the day to day requirements of managing PCI References and other compliance initiatives, they are naturally looking for ways to both streamline • Payment Card Industry Data Security Stan- their efforts and ensure the effectiveness of dard, version 1.1. September 2006. their controls. Log management dovetails well • Payment Card Industry Data Security Stan- with this movement; satisfying log collection, dard: Security Audit Procedures, version 1.1. retention, protection, and analysis require- September 2006. ments as well as providing the infrastructure www.pcisecuritystandards.org

Jason Chan is LogLogic's Director of Product Management for Applications. Prior to joining LogLogic, he was Senior Manager for Symantec's Security Advisory Services office in San Francisco. Jason is a certified PCI auditor and has been involved with payment card security since 2002, when he began performing Visa CISP (Cardholder Information Security Program) assessments while at @stake, a security consultancy that was ac- quired by Symantec in 2004. He started working in the security field in the late 90s at the US Navy's Space and Naval Warfare Information Warfare Engineering Center. Jason received his undergraduate degree from the College of Charleston and his Master's degree from Boston University.

www.insecuremag.com 31

Jeremiah Grossman founded WhiteHat Security in 2001. Prior to WhiteHat, he was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Jeremiah is a world-renowned leader in web security and frequent speaker at the Blackhat Briefings, NASA, Air Force and Technology Conference, Washington Soft- ware Alliance, ISSA, ISACA and Defcon. He is a founder of the website Security Consortium (WASC) and the Open website Security Project (OWASP), as well as a contributing member of the Center for Internet Secu- rity Apache Benchmark Group.

Let's start with an easy one. How did you many security professionals wonder what get interested in Web security? working at such a large company entails.

Most of my technology background originates Yahoo! was/is big, really big. It’s so big it’s from Web development. I’ve created many hard to wrap your mind around: at the time, websites, coded in several server-side (Perl, my best count was roughly 600 websites, C, Java) and client-side (JavaScript, Flash, 17,000 publicly facing Web servers, and 120 Java) languages, studied HTTP extensively, million users. toyed with every major Web browser since Mosaic, and am very familiar with Apache and Working for Yahoo!, or being responsible for MySQL. But, it really wasn’t until the summer the security of any popular website, is trial by of 1999 that I took an active interest in Web fire. Think about the fact that there are more security. The mainstream media published than 1 billion people across the globe with ac- several articles stating that the Web wasn’t cess to your website all the time, and a cer- secure (nothing new here), but the big guys tain percentage (we thought 1%) is malicious. had (Yahoo, Amazon, eBay, etc.) fixed the As demanding as this type of job is, the expe- problem (They did!? How!?). rience is also extremely rewarding and highly recommended for anyone in website security. To satisfy my curiosity, I proceeded to hack Without having been in that role, it’s difficult to into my own Yahoo! Mail account and quietly appreciate which security strategies actually reported my results back to them. A few work, versus the ones that technically should, emails later, Yahoo! offered me a position as but don’t. “The Hacker Yahoo.” And the rest, as they say, is history - tinyurl.com/2fmkwv Lessons learned:

What are the most important lessons that • IDS says everyone is attacking you with eve- you learned while working as the Informa- rything they got all the time tion Security Officer at Yahoo? I'm sure • A hacker, who just has to find a single www.insecuremag.com 33 vulnerability, has it easier than a security pro- less effort from many amazing people at fessional, who has to defend against all vul- WhiteHat Security and around the webappsec nerabilities all the time community. I was always fond of the quote by • Everyone with a website gets a “vulnerability Sir Isaac Newton, “If I have been able to see assessment,” probably several per day. further, it was only because I stood on the Whether you pay for the results or not is an- shoulders of giants.” other matter • Use security obscurity to your advantage Has the award put a spotlight on WhiteHat • Security solutions that work for smaller web- Security? sites don’t necessarily scale for the larger ones. It’s funny, I was just getting used to seeing our name in the press about every week or so, This year you've been selected as one of then this happened. Now it’s almost every day the Top 25 CTO's according to InfoWorld. we’re mentioned and it’s actually been difficult How does it feel to have your work recog- for us to keep up with all the inbound interest nized and being put head to head with in WhiteHat Sentinel. Part of the build up is of other well known industry giants? course press generated. But, most of the in- crease is simply due to the complexity and It’s an honor. “Surreal” is the best word I can difficulty of Web application security and the use to describe being listed next to names need for easy-to-use vulnerability manage- from top companies like VeriSign, 3Com, Mo- ment services. We’re really excited about the torola, and Credit Suisse. And while I’m re- future and we seem to be at the right spot at ceiving a lot of the credit recently, which I ap- the right time. preciate, it’s really the result of years of tire-

USE SECURITY OBSCURITY TO YOUR ADVANTAGE

With the constant evolution of threats, knew that “Web application security” existed what kind of technology challenges does or that firewalls and SSL didn’t protect a web- WhiteHat Security face? site.

It’s interesting. It’s not so much the new at- Today, almost everyone I talk to, from coast to tacks or techniques that keep us on our toes, coast and country to country, has that figured but the adoption of new Web development out. Now everyone wants to know what the technologies such as Ajax, Flash, Java, etc. latest trends and best practices are. The other Websites using these technologies are really big difference is the availability of knowledge. no more or less secure. But, what is more dif- Before, the information people needed to se- ficult is scanning for the vulnerabilities within cure a website really wasn’t documented. them. Today’s Web pages share more simi- Now, people have access to websites with larities with running applications instead of hundreds of white papers, presentations, and traditional HTML documents. This makes books right at their fingertips. If you want to “crawling” the website that much harder. By secure a website, the information to do so is extension, the attack surface is more difficult out there. to define, and as a result black box “fuzzing” is constantly challenged. Have new development techniques brought more problems? In your opinion, how has the Web security scene evolved in the last few years? Some experts like to say that Ajax or Web 2.0 is the harbinger of new attacks. I’m not one of It might sound odd, but one big difference for them. Fundamentally, we’re dealing with the me is that only a few years ago people barely same problems in the same locations. www.insecuremag.com 34 The challenges that Ajax brings land more on assessment work themselves with each site the security vendor than on the enterprise. We update, but it’s a poor use of their time and have to find vulnerabilities in these custom expertise. Their time and expertise is better Web applications and Ajax-enabled applica- spent focusing on strategic solutions and big tions are much more difficult to do so. Read picture thinking, rather than trying to identify, any of Network Computing’s scanner product prioritize and weeding through the next hun- reviews and you’ll see what I mean dred Cross-Site Scripting, SQL Injection, or (tinyurl.com/2ypwo6). whatever other vulnerabilities there might be.

What are the security tools/services that Are websites that you assess more inse- you use on a daily basis and couldn't live cure today in comparison to 3 years ago? without? I’d say today’s websites probably have less I’ve blogged about the speed hack contests vulnerabilities, but they’ve also never been we hold at the office. This is where we race to more at risk. find the first and the best vulnerability in a never-before-seen-website. For speed, noth- While SQL Injection seems to be on the de- ing beats Firefox, the Web Developer Toolbar, cline and Cross-Site Scripting filters are far and having the Paros or Burp proxy handy. If I more common, the number of attackers and happen to get stuck on an XSS filter, call up attack techniques has increased dramatically. RSnake’s XSS cheat sheet, use the encoders at the bottom, and that usually does the trick - The bad guys go where the money is and ha.ckers.org/xss.html right now that’s the Web. To monetize, all they have to do is capitalize on one single vulner- If I woke up tomorrow back at Yahoo!, or was ability. So, if an organization is only going af- responsible for the security of any website, (I ter the low hanging fruit, that isn’t going to know I’m biased here) the honest answer is help much, since Web attacks are targeted. I’d get the Sentinel Service deployed immedi- Websites that do better are the ones whose ately. The service is easy and complete, but security posture makes is hard enough on the most of all a security professional’s time is bad guy where it’s in their best interest to try precious. Sure they could do the vulnerability some place else.

TODAY’S WEBSITES PROBABLY HAVE LESS VULNERABILITIES, BUT THEY’VE ALSO NEVER BEEN MORE AT RISK.

A significant part in the process of devel- this point, we’re trying to stop the new holes in oping a complex enterprise website is en- the dam and plug the existing ones. Here’s suring that the customer data being used the advice I give to everyone: on that website is secure. 1) Asset Tracking – Find your websites, as- What do you see as the biggest threats to sign a responsible party, and rate their impor- that security? What are the most common tance to the business. Because you can’t se- mistakes you see your customers make? cure what you don’t know you own. 2) Measure Security – Perform rigorous and With 125+ million websites, and most of them on-going vulnerability assessments, prefera- riddled with vulnerabilities, I think it’s safe to bly every week. Because you can’t secure say the mistakes have already been made. At what you can’t measure.

www.insecuremag.com 35 3) Development Frameworks – Provide pro- For me, the feedback and reviews we’ve been grammers with software development tools receiving from the industry is what really enabling them to write code rapidly that also made it all worthwhile. Knowing that your happens to be secure. Because, you can’t work is useful to so many is a great feeling. mandate secure code, only help it. 4) Defense-in-Depth – Throw up as many Web security has been getting a lot of at- roadblocks to attackers as possible. This in- tention in the past 2 years and an increas- cludes custom error messages, Web applica- ing number of people is starting to pay at- tion firewalls, security with obscurity, and so tention. What resources would you rec- on. Because 8 in 10 websites are already in- ommend to those who want to learn more secure, no need to make it any easier. about Web security?

You are one of the authors of the recently There are a lot of resources out there and the released "Cross Site Scripting Attacks: blogosphere has been one area that has ex- XSS Exploits and Defense". How long did ploded. Here are some good resources: the writing process take? What was it like to cooperate with other authors? • Robert “RSnake” Hansen (ha.ckers.org), • Planet Web Security The writing process took about six months. (planet-websecurity.org) Generating hundreds of pages coherent and • Mine :) (jeremiahgrossman.blogspot.com) compelling content is challenging to say the • Matasano (www.matasano.com/log) least, even with five of the best subject matter • Web Application Security Consortium experts working in parallel. It was great get- (www.webappsec.org) ting to review the work of the authors on the • Open Web Application Security Project fly and see the project come together. And, (www.owasp.org) people really seem to be excited about the • Web Security Mailing List book and enjoying the read. (www.webappsec.org/lists)

SOFTWARE VENDORS HAVE A RESPONSIBILITY FOR THE DATA THEY PROTECT AND THE PRODUCTS THEY SELL

In general, what is your take on the full Instead, try to be open, investigate what disclosure of vulnerabilities? Should ven- caused the problem, solve it, and move on. dors have the final responsibility? What are your plans for the future? Any At the end of the day, website owners and exciting new projects? software vendors have a responsibility for the data they protect and the products they sell. While specific projects I’m working on at I’ve been on most sides of the full-disclosure WhiteHat must remain confidential, my debate (website owner, software developer, “agenda” is twofold. Help organizations find security researcher, and business owner) and the vulnerabilities in their websites, no matter can appreciate the concerns raised. I’m a how big or how often they change. If that pragmatist. When responsible for security, I means scaling big enough to scan the entire have no expectation that anyone is going to Internet every week, so be it. And, when we share any vulnerability information with me know where the vulnerabilities are, provide ahead of time. I hope they would before going organizations with options to get them fixed, public, but it would be irresponsible to depend quickly and with the least amount of trouble. on it and hopeless to demand it. I also think Once someone decides they want to improve describing the messenger as “unethical” or the security of their website, I want to be able worse only gives the impression that company to provide them with a game plan to do so isn’t taking full responsibility for the incident. that makes sense. www.insecuremag.com 36 The geek shall inherit the earth! This is the slogan that has reverberated out from Silicon Valley from the mid-90s, as we all realized that technology was, actually, fun, interesting, essential. Geek chic took over the worlds of film, fashion – and even finance. Suddenly it was cool to be into computers.

But the rise of the geek didn’t just confine itself to the light-hearted enter- tainment, start-ups that went stratospheric, or successful transformations of ‘old economy’ businesses. Computers and crime have come together. Mobsters are no longer the fast-talking, pin-striped, gun-toting caricatures of Hollywood legend. Criminal organizations are just as likely to be behind hacking and phishing networks as illegal gambling rackets and gun-running operations - with the same levels of profitability.

These days the weapons of choice are not theft, industrial espionage, blackmail, or sim- sawn-off automatics, or revolvers fitted with ple credit card misappropriation. silencers. It’s much more likely to be illicitly gathered passwords, user-names and dates Successful surveillance of birth. And of the armory at their disposal, keyloggers are an increasingly popular In an age when CPUs are increasingly central choice. to so many aspects of our lives, and the qual- ity of information is a key differentiator be- Available in either software or hardware form, tween businesses, it is not surprising that key- keyloggers record every stroke made on a loggers have proved to be so attractive to keyboard, and compile the data gathered to criminals. reconstruct login details, PINs, encryption codes, mothers’ maiden names or any other Despite this, the keylogger/criminal connec- form of security information. From there it is tion has on occasion worked in the interests but a short journey to inviting vistas of identity of the good guys. www.insecuremag.com 37 In one of the earliest examples of cyber-crime Keyloggers can even be used in the interests fighting, Nicodemo Scarfo Jr, a well- of child protection, enabling parents to check connected member of the New York and their children’s computer activities, while giv- Philadelphia mobs, was brought down by the ing those children a degree of independence Magic Lantern keylogger that the FBI installed and privacy. on his computer via a Trojan. Certainly not be the typical bullets-and-bloodshed take-down Keyloggers and criminals of popular imagination, it was still enough to indict him for running an illegal gambling ring Nonetheless, it is still the darker side to these and loan sharking. surveillance technologies that is more familiar to the majority of IT and security profession- At the time the story raised a number of con- als. Using keyloggers gives thieves a veil of cerns about computer privacy. Now it serves anonymity: they can plunder the treasure- as a useful reminder that there is a positive trove of inter-connected corporate systems side to keylogging. As well as serving the in- and storage devices at will, with very little terests of law enforcement agents, keyloggers chance of detection. can help employers maintain productivity by ensuring that staff are working on appropriate In the wrong hand therefore, keyloggers can projects. They can protect valuable band- damage business relationships, financial width, by spotting when unnecessary applica- standing, and reputations. They can even tions have been downloaded and ensure op- cause an organization to breach major pieces timum use of networked resources by en- of legislation such as European Data Protec- couraging personal web or system use is kept tion and Human Rights Acts, or the Sarbanes to appropriate levels. Oxley Act in the States.

Using keyloggers gives thieves a veil of anonymity.

Nor is it just large corporates that experience Fortunately, detection is becoming much eas- keylogging attacks. They may well be the ier. The attractions of the bigger corporates most attractive targets, but individuals’ per- are tempered by the increasing awareness of sonal details are at risk from a carefully lo- IT security managers, who keep machines cated keylogger – and far less likely to be protected with the latest anti-virus software to adequately protected. In fact, any individual or prevent Trojans and spyware entering the organization that accesses, inputs or stores system in the first place. Should a keylogger valuable information is at risk. slip through the net, standard protection tools that monitor the status of a computer can de- Software or hardware tect and remove them.

Nicodemo Scarfo was caught out by a Magic Unfortunately, security managers are locked Lantern, software keylogger that infected his in a game of one-upmanship with criminals machine through a Trojan, and this is the way who have followed the lead of the most suc- that the majority of keyloggers work. The ad- cessful businesses and taken the maxim ‘in- vantage of the software versions is that they novate or die’ to heart. As security measures are easy to install – despite the constant improve, so criminals find new ways to breach warnings, too many people lose the war be- them. In this case that means hardware tween curiosity and caution and open up spy- keyloggers. These devices are much harder ware, Trojan or virus-infected files and emails. to detect than software since they do not in- Software also enables thieves to infect a huge stall any code onto the machine and cannot number of machines and gather the data be spotted by traditional anti-virus or anti- quickly, easily and remotely. spyware tools.

www.insecuremag.com 38 Installing the hardware memory capacity that allows up to two million key strokes to be recorded – which represents Hardware keyloggers take two main forms. about five years’ worth of typing for the aver- The first, and probably the most common, is a age computer user. small device installed at the back of a PC be- tween the keyboard and its connection to the Happily, this type of hardware keylogger is machine. also the easiest to detect visually – provided you know what to look for. As with all hardware keyloggers, it requires the attacker to have physical access to the More insidious forms of keyloggers are built computer in question, both to install and later into the keyboard. Thieves will either replace retrieve the device. With social engineering the keyboard completely or dismantle it, insert growing in sophistication, this doesn’t pose a a keylogging device, and re-assemble it. problem to the determined individual, particu- Naturally this requires a greater degree of skill larly as it takes a matter of seconds to install, on the part of the criminal, and takes more and requires no technical skill. time to complete. But the chances of visual or manual detection are almost zero. These kinds of keyloggers may only be ap- proximately 1.5 inches long, but they have a

Organizations can defend themselves against keyloggers.

Self-defense keylogger is immediately invalid, and cannot be used to sneak into the system. The good news is that organizations can de- fend themselves against determined keylog- Organizations should also consider increasing gers. The first step, as with all effective secu- the use of drop down menus for gathering in- rity measures, is to educate and train users to formation. Instead of typing in information with raise awareness and create a culture of indi- trackable keystrokes, drop downs enable us- vidual responsibility. The number of PCs in ers to select characters or words with the large companies makes it impractical for the mouse, which a keylogger cannot record. IT security manager to check the back of every single box and every single keyboard However, in addition to these more general manually. Users who carry out basic monitor- security tools, there are a number of applica- ing of their own equipment greatly increase tions, recently on the market, that can auto- the chances of detecting any rogue devices. matically identify hardware keyloggers. These software solutions disable the devices by in- Secondly, organizations should look at alter- tercepting and blocking communications be- natives to desktop PCs. Although still suscep- tween it and the targeted computer. The soft- tible to hardware keyloggers, the inbuilt ware also alerts the IT department to the keyboards of laptop computers are far harder presence of keyloggers. to tamper with. However, greater use of mo- bile devices brings new security challenges, The secure organization which must be balanced against the reduced threat from keyloggers. Keyloggers are such a potent source of dan- ger because they exploit the gap created by Then there are the secure tokens, smart not one but two notoriously weak areas of IT cards or other devices that are used to pro- security. The first is our ongoing reliance on vide a second layer of authentication after passwords. Sophisticated intrusion prevention user names and passwords. These work by or segmented access authorization do add having a constantly changing passcode, extra layers of protection to corporate net- meaning that any data gathered by a works, but they still cannot distinguish

www.insecuremag.com 39 between a legitimate user with the right give the broadest possible definition to IT se- password and a malicious one. curity. That means policies to help employees recognize social engineering attacks, and The second is old-fashioned physical security, even conducting thorough background checks often forgotten when devising strategies to on auxiliary staff who have access to the protect virtual assets. Since hardware keylog- building. gers require physical access to the targeted machine the criminal must be in the presence After all, if you think your data is worth pro- of that computer, even if it’s only for a matter tecting, then someone else will think it is of seconds. If they are to protect themselves worth stealing. against keyloggers, organizations have to

Sacha Chahrvin has been the UK managing director of SmartLine for two years. He has a BA in Business Studies and has spent more than 10 years in the software industry. Before SmartLine, Sacha worked for a number of reseller organisations supplying software licensing to fortune 500 accounts, with his last role being global account manager at Reuters.

www.insecuremag.com 40 WINDOWS - WinSCP http://www.net-security.org/software.php?id=6

WinSCP is an open source SFTP and SCP client for Windows using SSH. Its main function is safe copying of files between a local and a remote computer.

LINUX - Firewall Builder http://www.net-security.org/software.php?id=230

Firewall Builder consists of an object-oriented GUI and a set of policy compilers for various fire- wall platforms. In Firewall Builder, a firewall policy is a set of rules; each rule consists of abstract objects that represent real network objects and services (hosts, routers, firewalls, networks, protocols).

MAC OS X - The DoorStop X Security Suite http://www.net-security.org/software.php?id=674

The DoorStop X Security Suite is an integrated, comprehensive approach to securing your Macintosh on the Internet.

POCKET PC - Pocket Warrior http://www.net-security.org/software.php?id=575

Pocket Warrior is a Pocket PC WiFi 802.11b Prism auditing software.

To submit a software for consideration e-mail [email protected] www.insecuremag.com 41 The underlying goal of typical “hacker” sessions or seminars is to get atten- tion and create awareness. They give you insight of what can be done to your network by those among us who have cruel intentions. With the release of Windows Vista a lot has changed. Microsoft tightened up user rights, intro- duces User Account Control, limited services and code execution, improved IE security and revamped the firewall. What’s left for the good old hacker?

Technical vs. non technical aspects to really show the vulnerabilities. The techni- cal issues are not the only ones that play an While a lot has happened in the security field important role, the human factor is also of during the last few years, the (ethical) hacker great importance. It is highly important to have still knows some tricks that work perfectly. a good policy and follow strict procedures. I Simply fire up a sniffer and you will know what stress the fact that I mentioned “more secure” I mean. As with all in life, things can end up in earlier because totally secure and 100 percent the wrong hands and can - in this case - be protection is out of the question. It’s always a used to compromise security in many ways. matter of calculating risk and a balanced in- vestment in protecting your assets. Despite of it all, a lot of companies still don’t see security as a complete set of measures Be aware of certain risks that have to be taken to get a more secure environment. Security is definitely not a layer Why is it so easy to get access to a network? that can be pasted in after all the (infrastruc- Well, because most of the times the proper ture) implementation work is finished. "Oh countermeasures haven’t been taken to limit yeah, we forgot that security thing! Just add the scope a potential attacker has. This goes some of it!" That won’t simply work that way. from a security policy, knocking out rogue ac- Sometimes difficult but I think the only way is cess points, implementing network to create awareness, sometimes present the bare facts by - for example - giving a demo or www.insecuremag.com 42 segmentation and limiting user capabilities on These first steps can all be passive. A thor- an ordinary workstation towards patched and ough search for information about the com- properly managed firewalls. pany on Google can disclose a lot of basic in- formation. Information gathering is possible by A system administrator doesn't have to be a querying the Whois database of, for example hacker and he/she not even needs such skills RIPE (www.ripe.net). The result is a range of to get proper network management in place. IP addresses which can be the starting point But being aware of the risks is a good thing. A for further steps in more active techniques basic understanding of what is possible on the used to get closer to the target. network from an attacker’s perspective and what can go wrong helps the IT (security) pro- Post scanning techniques and Nmap fessional to better understand all of this and then be able to better secure the company It is very easy to start using the Nmap network network and protect the assets. mapping utility (insecure.org/nmap/) to scan networks and get crucial information about The starting point: disclose information hosts on that network - what kind of hosts and how that host is configured, which ports are Ethical hackers can use many different meth- open or services are running. ods during a simulated attack or penetration test. Really a whole range of tools and attack The power behind Nmap is the huge number methods that can be chosen from. This can of scanning techniques and options available. start from the remote network by for example Some Nmap scans can hide your own ma- launching an attack over the Internet. This chine and in that way make it appear as if an- way the ethical hacker tries to break or find other computer is scanning the network, while vulnerabilities in the outside defenses of the other scans go directly for the targeted ma- network, such as firewall, proxy or web serv- chine. Nmap’s primary interface works from ers. One can be using remote dial-up possi- the command line of Windows. The command bilities (yes, they still exists) or the local net- line is very strong and a lot of options and pa- work in order to launch the attack. rameters can be added to do the work. There is a graphical utility available called NmapFE By using social engineering, it is possible to but in order to take advantage of the more ad- check the integrity of the organization’s em- vanced functionality you should stick to the ployees. Also, by gaining physical entry the command line. attacker can attempt to compromise the or- ganization’s physical premises. You never will With Nmap you can scan for TCP or UDP know how easy it is to tailgate and just walk ports. TCP is a stateful or connection oriented into the entrance with double protected guards protocol. Connection oriented means that, be- on the front door. fore any data can be transmitted, a reliable connection must be obtained and acknowl- An attacker who gains physical access can edged by both parties involved in the commu- plant viruses, Trojans, rootkits, install hard- nication. As you will know there is a specific ware keyloggers, copy information directly to a set of control bits that can be set in a TCP disk, install rogue access points or have ac- packet also known as “flags”. Flags can be: cess directly to systems in the target organiza- tion and network. He can also steal some un- URG: Urgent Pointer protected hardware equipment with useful in- ACK: Acknowledgement formation on it. PSH: Push Function RST: Reset the connection The first step for any attacker is to get the in- SYN: Synchronize sequence numbers formation needed to start an attack. Hacks in FIN: No more data from sender general can be initiated from outside but can also launched from the inside. As you will There are two scenarios where a three-way know most of the attacks (around 75 - 80 per- handshake will take place: First establish a cent) come from inside of the company. connection (an active open) and second ter- minating a connection (an active close). www.insecuremag.com 43 One problem with port scanning is that it is messaging or streaming protocols. In order to most of the times logged by the services lis- scan for UDP ports with Nmap, you can gen- tening at the scanned ports. This is because erally send empty UDP datagrams at the port. they detect an incoming connection, but do If the port is listening, the service will send not receive any data, thereby generating an back an error message or ignore the incoming error in the log. datagram. If the port is closed, then the oper- ating system most of the times send back an UDP is different as it is connection-less (fire "ICMP Port Unreachable" (type 3) message. and forget) traffic. UDP does not guarantee This way the attacker can find open ports. reliability or ordering in the way that TCP does. Datagrams may arrive out of order or go Port scanning techniques can be differentiated missing without notice. Missing the overhead with Nmap and this way you can use open of checking whether every packet actually ar- scan, half-open scan, stealth scan and a lot of rived at the destination makes UDP faster and other options to “dive under the radar”. Natu- more efficient for applications or services that rally, it is most preferable for the attacker to do not need guaranteed delivery such as keep his actions undetected.

Scanned and open ports on a Windows Domain Controller www.insecuremag.com 44 Different types of scanning Stealth scanning

Open scans make use of a full connection Half open scans were considered stealth for a opened to the target system by a three-way long time, but as intrusion detection systems TCP/IP handshake. The downside of this is evolved, these scans became easily logged. that these scans are easy to detect on the Now, there are other ways to stealthy scan a network. This is because the whole tree-step network. Scans where the packets are flagged handshake process will finish and most of the with a particular set of flags other than SYN, times will be logged by the contacted machine using a combination of flags, with no flags set, or IDS. However, the information gathered with all flags set, just appearing as normal with an open scan is the best in determining traffic, by using fragmented packets and like the actual (port) state of the target machine. this tricking filtering devices.

In the handshake process the client sends a Discover systems SYN flag, which is replied by a SYN+ACK flag by the server and which in turn is acknowl- Now we can scan a network for specific sys- edged back with an ACK flag by the client to tems. It’s beyond the scope of this article to complete the connection. If a port is closed or discuss this all but assume the attacker is on 'not listening' the server responds with a RST- the internal network. A system presents most ACK flag, to which the client responds with a of the times a fingerprint of services running RST flag, closing the connection. This allows on that box by - for example - specific opened the user to see if a particular port is open or ports. This makes it in one or another way closed. unique. Linux, Unix and Windows systems all have some unique characteristics. This makes Another disadvantage of this scan technique it possible to get a picture of the workstations to an attacker is that it is impossible to spoof and servers on the network segment and the his identity as spoofing would require sending type of systems. A domain controller presents a correct number sequence as well as setting some specific ports open like the port for Ker- the appropriate return flags to set up a data beros and LDAP traffic. Active Directory does connection. Spoofing an IP-address in this its job by transmitting traffic over this type of case will never complete the process of the ports and to have this opened up give a good three way handshake and responses go to the indication of the possible role of the machine spoofed IP-address. Besides that, most intru- scanned. sion detection systems and firewalls detect and log this scan, because the IP address is Once the attacker finds an interesting system, known and so the attacker's IP address can he can use several exploits in the field that be logged, filtered or easily blocked. can be used to compromise a system. For ethical reasons I’m not presenting the whole Half open scan story here. However, there are many vulner- abilities, not only Microsoft Windows orien- One way to circumvent logging and detection tated but also on Linux, Firefox, specific rout- this is to perform a half open scan in which a ers and applications. Just pretend I now want complete TCP connection is never estab- to get control over a specific machine in the lished. Instead, as soon as the server ac- network, either remote or physical. You gain knowledges with a SYN-ACK response, the that control. Next I’m presenting a very old client tears down the connection by sending a trick that most of you will know from the past, RST. This way, the attacker detects an open this just as an example. The point is that it is port listening/running a service from the ACK still working on older or unpatched systems. response. Intelligent intrusion detection sys- tems and firewalls are also capable of detect- The famous and notorious Null Session ing a scan like this and will prevent this from taking place. A so called “null session” occurs when you log on to a Windows system with no username or password at all. NetBIOS null sessions are vulnerabilities found in SMB, Server Message www.insecuremag.com 45 Block protocol. SMB is a protocol for sharing named pipes between Windows computers. files, printers, and communications such as

Setting up a Null session

One method of connecting a NetBIOS null over which to use other hacking tools and session to a Windows system is to use the techniques. Its relative easy to get a full dump hidden Inter Process Communication share of all usernames, groups, shares, permis- (IPC$). This hidden share is accessible using sions, policies, services and more using the the net use command. The empty quotation Null user session possibility. marks ("") indicate that you want to connect with no username and no password. The syn- At this moment there are some options to pro- tax is as follows: tect against this kind of null sessions by set- ting a specific policy. In Windows (XP, Vista) C: \> net use \\192.168.1.71 \IPC$ "" /u: there is a handful of policies that can be used "" and activated or are there by default to protect you against this type of attack. You can get Once the net use command has been suc- some additional things in place to protect cessfully completed, the hacker has a channel against this, I’ll return on that later.

Policies in Windows

Take over accounts After that, the attacker can start a brute force attack on the hashes and before you know it, If an attacker can get on a Windows computer the worst has happened. More accounts will (either a server or client computer), it is possi- be compromised and can be used to further ble to choose from a wide variety of tools to elevate privileges, empty logs and create get access to the password database (NTLM backdoors. hashes) on that machine. www.insecuremag.com 46 On the Windows computer it’s possible to use text. Services however will be running under the gsecdump tool. This tool dumps all the the credentials of SYSTEM. The solution is to hashes from the accounts on that machine. create a service that is running the command Possibilities from the command prompt are: line shell in SYSTEM context. To do this;

-h [ --help ] show help C: \> sc create shellcmdline binpath= -a [ --dump_all ] dump all secrets "cmd /K start" type= own type= interact -l [ --dump_lsa ] dump lsa secrets C: \> sc start shellcmdline -w [ --dump_wireless ] dump Microsoft C: \> sc delete shellcmdline wireless connections -u [ --dump_usedhashes ] dump hashes from Now the command line window is running un- active logon sessions -s [ --dump_hashes ] dump hashes from der the right credentials. Even under Vista this SAM/AD can be done. Now the gsecdump tool can be started and get some data. In the next However, this tool needs to be running under screenshot you can find the result of such an a SYSTEM context on that computer while the action. logged on user will not be running in that con-

A gsecdump result

The next thing to do is to attack the hashes by First and foremost, get a decent security pol- using a good password crack utility. Another icy and baseline in place, hand out proper possibility would be to fire up a sniffer and to procedures and manage and control them, let get the hashes sniffed off the network. Since users sign a non-disclosure agreement or a most of us don’t use SMB signing the SMB disclaimer document. If you don’t have it, all traffic is simple to intercept. the other will be a waste of time. Then think about segmenting your network. Servers on a Counter measures server segment and clients separately on an- other part. Even in the DMZ you can use How can you take some precautions without segmentation. In case one server is attacked having to spend that much of money on spe- and compromised, the other isn’t necessarily cial hardware, software and consultants? affected. Create some strict paths between these segments and ensure monitoring is in place. www.insecuremag.com 47 Implement server isolation. In such a sce- some pre-defined (policy) templates to imple- nario, specific servers or applications are con- ment this for Windows Servers. figured to require IPSec policies to accept When there is no need to get Internet access authenticated communications from other from workstations in your environment, just computers. For example, you might configure don’t provide it Most malware and rootkits the domain controller to accept connections come in by simply clicking or browsing on a only from another domain controller in the Ac- website. Block unwanted devices using device tive Directory domain for certain services. Be- control on your workstations so you have sides that, you can also implement domain much more control over this kind of behavior. isolation in a Windows environment. To isolate a domain, you can use Active Directory and Use logging to actively monitor servers, clients the domain membership to ensure that only and users and care about the central and safe domain-member computers accept authenti- storage of this all so logs can’t be destroyed cated and secured communications from other by non-authoritative persons or personnel. domain-member computers. The isolated Server 2008 and Windows Vista do have the network holds only computers that are part of option to write or upload log data to a central this domain. server to analyze this when needed. Use en- cryption techniques to protect data and get Protect your workstations (laptops) by using decent patch management in place. encryption and lower the cache for logged on users (be able to log on even the domain is Then, use host firewalls and IPSec for the not there). On laptops, this setting can proba- creation of tunnels or use only the authentica- bly be set to 1. Get good password policies tion part of IPSec to let systems strong with more strong passwords or better and use authentication. passphrases or get the smart card in with pin code. I will go in a little more detail on the Vista fire- wall in combination with IPSec and the possi- Next, harden servers as much as possible. ble solutions it can offer for you. All the attack Microsoft understands this problem and in vectors I mentioned earlier in this article can Longhorn server or Server 2008 the started be broken down by implementing one or more services will be minimized. You can download of the things I just mentioned.

Vista firewall: allow only specific connections www.insecuremag.com 48 Using Host based firewall and IPSec You can even restrict an administrator to do some work from specific computers or net- The Windows Vista Firewall comes enabled work segments by implementing the appropri- for both inbound and outbound connections. ate rules. If an administrator is trying to log on The default policy is to block most inbound from home, this can be made impossible be- connections and allow outbound connections. cause of certain rules. As you can see, very You can use it with the Advanced Security in- granular and easy to manage because you terface to configure specific custom made will already be familiar with other management rules for both inbound and outbound connec- tasks within Active Directory. tions. With Windows Vista, the firewall can allow You can configure different rules and settings more granular authenticated bypass rules, al- for the following firewall profiles: lowing the administrator to specify which ports • domain. Used when a computer is con- or programs can have access, as well as nected to an Active Directory domain of which which computer or group of computers can the computer is a member. have access. • private. Used when a computer is connected to a private network behind a private gateway Windows Service Hardening helps prevent or router. critical Windows services from being used for • public. Used when a computer is connected potentially malicious activity in the file system, directly to the Internet or any network that has registry or network. If the firewall detects spe- not been selected as Private or Domain. cific behavior as defined by the network rules, the firewall will block its traffic at once. If a When a user connects to a network that is not service is exploited and gets to run malicious part of the domain, Vista pulls up that wall and code, it is prevented from sending or receiving asks the user to identify the network as either traffic over non-authorized network ports. This Public or Private. In combination with IPSec reduces the effect the malicious code has on authentication, you can configure rules for the system itself and spreading of that to other specific computers so that connections from hosts in the network greatly reducing the at- those computers bypass other rules set up in tack vector. the Windows Firewall. This allows you to block a particular type of traffic, but allow authenti- I believe there are several possibilities within cated computers to bypass this. Windows XP, Server 2003, Vista and the not yet released Server 2008 to act against the The great thing about this is that a certain port more traditional attacks. With a good plan and is not even open if the criteria are not met. So up to date technology, there is a lot that can if a non-authorized computer is trying to con- be done to make it much harder for the de- tact, the port is not available. This authentica- termined attacker to gain access and control tion goes all the way - specific computer, us- over your environment. ers, membership of Active Directory groups and so on. If you do have a PKI in place, it’s Malware, rootkits and other types of sophisti- possible to combine this with the presentation cated technology play an important part in our of a client computer certificate and a user cer- networked and more open world today than tificate that is stored on a smart card. In that ever before. 70 percent of Windows comput- way a user can be restricted to log on from a ers today are infected by some kind of mal- specific network segment, computer or a ware. It is a new and different threat and not combination. stopped by traditional solutions. We certainly need to create awareness in our end-users to make sure this doesn't happen as often.

Rob P. Faber (CISSP, CEH, MCSE) is an infrastructure architect, consultant and senior engineer. He is cur- rently working for an insurance company (22.000 client computers) in The Netherlands. His main working area is (Windows Platform) Security, Active Directory and Identity Management. You can reach him at [email protected] or find him on the LinkedIn network.

www.insecuremag.com 49

I have been following the works of Trusted Computing Group (TCG) since their inception. The body, successor to the Trusted Computing Platform Alli- ance started by such giants as Hewlett-Packard, IBM, Intel and Microsoft, has a goal to develop vendor-neutral standard specifications for trusted comput- ing. TCG is quite present on all the major information security conferences around the globe, so I had an opportunity to attend to some of their lectures and check out the actual trusted platforms (hardware devices with TPM chips) in test environments.

What is a TPM chip Apple and TPM

The TPM is a microcontroller that stores keys, If you bought your Mac between May and Oc- passwords and digital certificates. It's typically tober of 2006, you most probably have a TPM affixed to the motherboard of a PC. The na- chip. The chip in question was Infineon TPM, ture of this silicon ensures that the information module SLB 9635 TT 1. It looks like Apple had stored there is made more secure from exter- plans to use the trusted platform possibilities, nal software attack and physical theft. Secu- but while the chip was present, Apple did not rity processes, such as digital signature and use it at all. Therefore, computers released key exchange, are protected through the se- after October 2006 do not contain an onboard cure TCG subsystem. Infineon TPM. As Trusted Computing Group is seeing an upscale adoption rate of their tech- Access to data and secrets in a platform could nology, TPM will most probably be back inside be denied if the boot sequence is not as ex- Apple hardware in the future. pected. Critical applications and capabilities such as secure email, secure web access and Benefits for the users local protection of data are thereby made much more secure. TPM capabilities also can Amit Singh, author of the "Mac OS X Inter- be integrated into other components in a sys- nals: A Systems Approach" wrote a whole tem. chapter about trusted computing for www.insecuremag.com 51 Mac OS X. Besides this, he released Mac • Sign data without the private key ever leav- driver and daemon that will be used later in ing the chip. this article. • Encrypt data such that it can only be de- crypted on the physical machine it was en- While the TPM chip is not used by any of the crypted on. Apple software products, that doesn't mean • In protocols such as SSL that use key ex- that developers cannot use it for the specific change, employ the TPM for a much better purposes of their applications. While it is not guarantee regarding the identities involved. the best idea to target just the computers that have TPM chips, this "perfect" customizations Testing the existence of TPM chip can be used in some organizations for in- stance running just the TPM-enabled Macs. For the purpose of testing your computer for Singh notes that developers could use the existence of the TPM chip we will need to use TPM from within their own applications to: a command line utility ioreg which displays the I/O Kit registry. Starting the utility without • Create private/public key pairs such that the any particular switches, we can just filter the private key never leaves the TPM in clear output while grepping for TPM. The result form and because of it the private key cannot shows that TPM is present on my MacBook be stolen. notebook:

Tools of the trade GPLv2, so the guys at Comet Way are redis- tributing them within the TPM Setup package. For the purpose of mangling with the TPM Bottom line, all the applications you will need chip, we need to use the following: are located in the same archive linked in the previous paragraph. TPM Setup There are is a disclaimers the developers Mac application released in mid June 2007 provided with the TPM Setup application. The that can be used to setup and take ownership software is provided as a demo and should be of your TPM. The software package is pro- used on your own risk. From the technical vided by the fine folks at Comet Way, which perspective the only troublesome thing you recently noted their plans to release a simple can create is to setup and then forget the file encryption utility for your TPM Mac. TPM password which could be a bad thing. You will also need to be at least a bit familiar Important: TPM Setup is an Intel binary, there- with the UNIX Shell, but following the graphics for can be used just on Intel Macs. from this article should be just enough.

TPM Setup can be downloaded from: Let's take the ownership of the TPM chip 1) Comet Way: darkside.cometway.com 2) Help Net Security: As you could see from the first screenshot, net-security.org/software.php?id=675 TPM is enabled and activated. The only thing still needed is to take the ownership of it. This OSXBookTPM.kext and tcsd means that we need to setup two passwords: one for the TPM chip itself and the other one These are Amit Singh's kernel extension and for the Storage Root Key (SRK). the daemon needed for the whole TPM expe- rience. These files were released under www.insecuremag.com 52 TPM Setup can also reset a TPM by clearing ing two sets of passwords (can be identical). it, enabling and activating it, and allowing the Before this, we need to use the Terminal and user to take ownership of the TPM. In this start the Amit Singh's tcsd daemon and load case two reboots will be required, once after the TPM kernel extension: clearing the TPM, and once again after ena- bling and activating it. As mentioned earlier, the support directory of the TPM Setup contains all the needed In our case of a "clean TPM", we won't need scripts, kernel extension and the daemon. any reboots and the only interaction is enter- Let's start the daemon with the tpmInit script:

The script needs administrative privileges so Now when the daemon is started, we can the appropriate password needs to be en- open the TPM Setup application and take the tered. As you can see from the screenshot, ownership of the TPM chip. If because of kernel extension is successfully loaded and some reason you didn't start the daemon or the daemon is started. Do leave this terminal the start was unsuccessful, the following win- window open and if you want to kill the dae- dow will say that you should start the process mon hit the Ctrl+C key combination. again. In our case, everything is just fine:

www.insecuremag.com 53 Time to enter the user and SRK passwords:

Final phase - TPM is operational, activated, enabled and owned:

Conclusion References

The whole procedure covered throughout this • TPM Setup (tinyurl.com/2ytlar) article is not at all "mainstream", so TPM will • Trusted Computing for Mac OS X currently be of use to an extremely limited (tinyurl.com/yqvydz) number of users. Soon Comet Way will re- • Trusted Computing Group lease the mentioned file encryption utility and (trustedcomputinggroup.org) there is always a need for enhancing the state • TPM Work Group of security on your Mac. (trustedcomputinggroup.org/groups/tpm/)

Jonathan Austin is a security manager at a healthcare provider with over 10 years of IT experience. His pas- sions include Mac OS X security, Linux clustering and PHP code auditing. www.insecuremag.com 54 Never has the need to prove compliance with external regulations and inter- nal policies been more acute than it is today. The likely consequences of fail- ing to prove that your organization is compliant and that you are strictly ad- hering to your own policies can be significant, up to and including possible criminal penalties for top corporate executives. And the buck doesn’t stop there. Anyone who is familiar with the Enron story may also remember that it resulted in the once grand Arthur Andersen being brought to its knees, illus- trating the thoroughness that external auditors will apply to ensure that they are not implicated.

Organizations today must prove beyond a scrupulous system administrators. If that’s not shadow of a doubt that not only do they have bad enough another in a recently published a security program in place, but that it is en- survey conducted by the U.S. Secret Service forced and is consistent across your organiza- together with Carnegie Mellon University’s tion. Information technology departments play Software Engineering Institute CERT Program a key role in this endeavor. Shortcomings in IT found that eighty-six percent of people who policies can have potentially serious conse- carried out insider sabotage held technical quences. positions and ninety percent had system ad- ministrator or privileged system access – Research by Gartner has shown that 65 per- which meant they held the passwords to over- cent of all successful computer attacks take ride the system and access the network. advantage of badly configured systems such as use of out-of-the-box default conditions, No matter how secure a system may be, if the configuration of user accounts that have privi- controls to access that system are not ade- leged rights, simple configuration errors or un- quate, eventually this will be exposed. www.insecuremag.com 55 A recent Audit Commission report in the UK There are also many misconceptions about highlighted that problems are frequently a re- regulatory compliance for outsourcing. For sult of poor access controls that inevitably in- example, if your company has outsourced crease the risk of accidental damage and de- management of its IT infrastructure, the re- liberate abuse. Instances such as the failure sponsibility of compliance still rests with your of management to escort disgruntled employ- company, not its outsourcing partner. Addi- ees from buildings and remove all IT system tionally, companies providing outsourcing access facilities have resulted in such staff services need to ensure that they are not im- having the time and opportunity to vent their plicated in the event that issues arise. In other anger on the organization and cause major words, select a good outsource partner and disruptions. you could be a winner. Select a bad one and you could be out of business. It is not the Interestingly, the report found the main rea- brand name that should convince you but the sons for breaches were ineffective policies, quality and experience of the staff that will be and the failure to enforce policies. responsible for your highly sensitive data.

THE IMPORTANCE OF AUTOMATION IN TRACKING AND REPORTING IT CONTROLS CANNOT BE OVERSTATED.

Compliance and regulatory requirements such as ITIL, and ISO 27001 in order to en- sure consistency across their enterprises. Being compliant has become a major focal From an IT perspective, what all of these point for most large organizations, but this for regulations have in common is that they re- all practical purposes should be a goal for risk quire the strengthening of internal controls re- management and security in every organiza- lated to the use of IT systems. tion. Regardless of external factors, those re- sponsible for the integrity of the IT environ- The controls that are specified in most stan- ment should be actively involved in ensuring dards are very similar. All deal with the pri- that permanent staff, business partners and mary threats that exist in the IT environment, contracted staff, who may have privileged focusing on the misuse of privileged accounts, user rights, comply with company policies mistakes by privileged users and malfunctions when it comes to handling company assets. within the IT infrastructure itself, particularly when it comes to the security of highly sensi- For those organizations that also need to tive information. The IT security group needs meet public standards, the level of media ex- to be able to prove which privileged user ac- posure that has resulted from high-profile cessed what system, demonstrate that confi- cases in the United States means that most dential systems and data could not have been people in the IT security arena are familiar accessed by those who had no rights and that with Sarbanes-Oxley, Basel II, 21 CFR Part those who have the right are tracked. 11, PCI, Gramm-Leach-Bliley and HIPAA. The importance of automation in tracking and However, it is not simply these much publi- reporting IT controls cannot be overstated. cized standards. Today most countries have These tools are important in providing timely regulations in place that are very similar, such alerts by continuously collecting and alerting as France’s “Loi de Securité Financière”, on events for any critical component within the Germany’s “KonTraG”, the UK’s “Combined IT infrastructure. Additionally, they are an im- Code” and the Netherlands “Tabaksblat portant factor in reducing the costs associated Code”, which require a similar level of due with collating the information. For any organi- diligence when it comes to IT security prac- zation that must comply with these regula- tices, although there are variations related to tions, it is mandatory that the IT departments the compulsory nature in different countries. comply, and that the IT security department in an organization must be able to demonstrate Additionally, many organizations are adopting to the rest of the organization, and best practices by implementing standards www.insecuremag.com 56 to those external parties that monitor the ac- internal threats and because many organiza- tivities, that the effectiveness of IT controls are tions focus their investment in protecting adequate. against the external threat, they are often not adequately prepared to protect the internal Anyone who has been faced with an audit, ei- risks. Today any organization that has an IT ther internal or external, can attest to the re- infrastructure relies heavily on databases, and source demands that are placed on the IT or- database security practices, including every- ganization. This can be especially challenging one and every process that accesses the da- when an organization is present in different tabase, will always be scrutinized very closely geographical locations. The effectiveness of by auditors. the controls and reporting tools within the IT security departments are critical both to So what should you do? achieving a successful audit, and limiting the amount of resource that is required to deliver Whether or not you are compelled to apply the necessary information. policies to comply with the various standards, you should familiarize yourself with what is Ultimately, you are answering the questions, required. My recommendation would be to do you have the important controls in place, start by taking the time to study the ISO 27001 have you implemented effective change man- standard to gain an overall view of what is re- agement and if your access controls are effec- quired to have an effective information secu- tive – and of course can you prove it. rity policy and in conjunction look at the re- quirements of the Payment Card Industry A major challenge facing organizations today (PCI) standard. Although the PCI standard is is that regulations do not make allowances for intended for organizations that deal with credit unintentional errors, and human error is one of card transactions it offers a very practical the biggest risks faced by companies, espe- guide to what should be done on a practical cially as pressure to reduce costs means that level in many areas, and will ensure that you more and more tasks are being carried out by have taken adequate precautions to protect less staff. Today almost all risk results from yourself and your business.

Calum MacLeod has over 30 years of expertise in secure networking technologies, and is responsible for de- veloping the Cyber-Ark business in Europe and Africa.

Before joining Cyber-Ark, MacLeod served as Europe, Middle East and Africa Business Development Director for Netilla Networks, and was responsible for leading some of the early SSL VPN projects in Europe. MacLeod has also served as an independent consultant to corporate and government clients on IT security strategy for various European market segments, including the European Commission.

www.insecuremag.com 57 Black Hat USA 2007 Briefings & Training 28 July-2 August 2007 – Las Vegas, USA http://www.blackhat.com/

HITBSecConf2007 3 September-6 September 2007 – Kuala Lumpur, Malaysia http://conference.hitb.org/hitbsecconf2007kl/

Security ‘07 – 16th USENIX Security Symposium 6 August-10 August 2007 – Boston, USA http://www.usenix.org/events/sec07/

Chaos Communication Camp 2007 8 August-12 August 2007 – Finowfurt, Germany http://events.ccc.de/camp/2007/Home

InfowarCon 2007 9 September-21 September 2007 – Bethesda, USA http://www.infowarcon.com/

RSA Conference Europe 2007 22 October-24 October 2007 – London, United Kingdom http://www.rsaconference.com/2007/Europe

3rd Annual Techno Forensics Conference 29 October-31 October 2007 – Gaithersburg, USA http://www.Techno2007.com/ www.insecuremag.com 58 Best practices dictate that we must protect sensitive data at the point of cap- ture, as it's transferred over the network (including internal networks) and when it is at rest. Protecting data only sometimes - such as sending sensitive information over wireless devices over the Internet or within your corporate network as clear text - defeats the point of encrypting information in the da- tabase.

It’s far too easy for information to be inter- require protection for data while it’s moving cepted in its travels so the sooner the encryp- between applications, databases and data tion of data occurs, the more secure the envi- stores. One option for accomplishing this pro- ronment will be. A comprehensive encryption tection is to selectively parse data after the solution doesn’t complicate authorized access secure communication is terminated and en- to the protected information - decryption of the crypt sensitive data elements at a very granu- data can occur at any point throughout the lar level (usernames, passwords, and so on). data flow wherever there is a need for access. Application-layer encryption and mature database-layer encryption solutions allow en- Decryption can usually be done in an terprises to selectively encrypt granular data application-transparent way with minimum im- into a format that can easily be passed be- pact to the operational environment. Due to tween applications and databases without distributed business logic in application and changing the data. database environments, organizations must be able to encrypt and decrypt data at differ- Key Management is often overlooked ent points in the network and at different sys- tem layers, including the database layer. One of the essential components of encryp- tion that is often overlooked is key manage- Encryption performed by the database man- ment - the way cryptographic keys are gener- agement system can protect data at rest, but ated and managed throughout their life. more security oriented corporations will also www.insecuremag.com 59 Since cryptography is based on keys which tation, replication, and backup. The difficulty of encrypt and decrypt data, your database pro- key distribution, storage, and disposal has lim- tection solution is only as good as the protec- ited the wide-scale usability of many crypto- tion of those keys. Security depends on sev- graphic products in the past. Automated key eral factors including where the keys are distribution is challenging because it is difficult stored and who has access to them. When to keep the keys secure while they are distrib- evaluating a data privacy solution, it is essen- uted, but this approach is finally becoming se- tial to include the ability to securely generate cure and more widely used. Standards for and manage keys. This can be achieved by key-management have been developed by the centralizing all key management tasks on a government and by organizations such as single platform, and effectively automating ISO, ANSI, and the American Banking Organi- administrative key management tasks, provid- zation (ABA). The key management process ing both operational efficiency and reduced should be based on a policy. This article will management costs. exemplify different elements of a suggested policy for a Key Management System used for Data privacy solutions should also include an managing the encryption keys that protect se- automated and secure mechanism for key ro- cret and confidential data in an organization.

A major problem with encryption as a security method is that the distribution, storage, and eventual disposal of keys introduce an expensive and onerous administrative burden.

Issues with native point solutions not only by doing the obvious encryption, but doing so in a secure and reliable manner that A major problem with encryption as a security does not prohibit you from keeping your sys- method is that the distribution, storage, and tems operational. A mature data protection eventual disposal of keys introduce an expen- system should be based on a sophisticated sive and onerous administrative burden. His- key management system that is transparent, torically, cryptographic keys were delivered by automated, secure and reliable for the envi- escorted couriers carrying keys or key books ronments where it operates. in secure boxes. A distributed approach with a central point An organization must follow strictly enforced of control procedures for protecting and monitoring the use of the key, and there must be a way to A mature data protection system should pro- change keys. Even with all of these restric- vide a central point of control for data protec- tions, there is always a chance that the key tion systems at the application, database and will be compromised or stolen. Even if there file levels. The encryption solution has a com- are standards developed for key-management bined hardware and software key manage- it is still the most difficult part of an encryption ment architecture which combine the benefits solution. This is one of the greater challenges of each technology. This will address the cen- to overcome when you decide to create your tral security requirements while providing the own solution based on encryption toolkits from flexibility to allow security professionals to de- database vendors and security vendors. ploy encryption at the appropriate place in These toolkits provide the basic functionality their infrastructure. It provides advanced secu- for encrypting and decrypting information but rity and usability smooth and efficient imple- typically do not provide a secure key- mentation into today’s complex data storage management system. infrastructures.

Many companies have tried to develop their If your human resources department locks own encryption functionality, but few have employee records in filing cabinets where one succeeded in creating a system that performs person is ultimately responsible for the keys, www.insecuremag.com 60 shouldn’t similar precautions be taken to pro- agement of encryption keys should be logged tect this same information in its electronic for- in an evidence-quality audit system. Keys mat? One easy solution is to store the keys in stored in the Hardware Security Module are a restricted database table or file. But, all ad- protected from physical attacks and cannot be ministrators with privileged access could also compromised even by stealing the Hardware access these keys, decrypt any data within Security Module itself. Any attempt to tamper your system, and then cover their tracks. Your with or probe the Hardware Security Module database security in such a situation is based will result in the immediate destruction of all not on industry best practice, but on trusting private key data, making it virtually impossible your employees. When securing the sensitive for either external or internal hackers to ac- data within your organization trust is not a pol- cess this vital information. icy. The key custodian should be a role in the IT organization. Encryption of the application data should be performed by an Enforcement Agent that The key custodian should be implemented as a Dedicated En- cryption Service (Please see my articles in The key custodian is responsible for manag- (IN)SECURE issue 8 - insecuremag.com and ing the multi-layer key management infrastruc- tinyurl.com/23bhz7) that is separated from the ture, including the creation of keys, distribution administration of the data that it protects. This of replacement keys and the deletion of keys service may run in different environments in- that have been compromised. The custodian cluding in a separate process, a separate should be appointed by the Compliance Re- server or in a Hardware Security Module de- view Committee. Access to central key man- pending on the security class of the data and agement functions should require a separate the operational requirements for performance and optional strong authentication and man- and availability.

When securing the sensitive data within your organization trust is not a policy.

Key domains for protection and easier of different encryption keys and initialization management vectors across different columns, tables and files to maintain compartmentalization and a A mature data encryption solution should sup- diverse front against attack. The Keys should port the concept of key domains which can be stored in an Enforcement Agent that sup- isolate different systems for security reasons ports dual control (requiring more than a sin- or operational needs. Each key domain may gle administrator/operator) for key recovery. It have different security exposures and can may be implemented in hardware or software, have a different policy for how keys should be but it must support both the encryption and managed including key generation, key rota- integrity of the key backup format. tion and protection of key material. It should support transparent re-encryption of the data Annual review of algorithms and key when it flows between systems that are using lengths different encryption keys or different algo- rithms. The Key Management System must support key length or strength of 128-bits or greater The Key Management System must support for symmetric keys. Such keys are deemed multiple levels of keys to ensure that the en- “strong encryption” and are not susceptible to cryption keys that protect secret and confiden- a brute force attack using current technology. tial data cannot be compromised. This en- Public or asymmetric keys must be of equiva- ables the use of different encryption keys for lent strength. That is, a 128-bit symmetric key different columns, tables and files. When set- and 3072-bit public key are considered to be ting policy, it is important to configure the use equivalent in terms of strength, while a www.insecuremag.com 61 15,360-bit public key is equivalent to a 256-bit evident and compliant with FIPS PUB 140-2 symmetric key. The data encryption should be Level 3 Security Requirements for Crypto- performed with strong standard algorithms in- graphic Modules, and keys are randomly gen- cluding 3DES, AES 128 or AES 256. Data re- erated in compliance with ANS X9.24 Section quiring protection for longer periods of time 7.4. should use the longer key lengths. Note that adequate CPU power today may not be Key validation, access control and logging enough tomorrow as you incorporate more secure communications. It is wise to establish Key validation is performed by integrity check- a key-length policy early and review it annu- ing the security metadata that is kept in ci- ally. phered text (even in memory). Key access control is performed by role-based authoriza- Secure generation and distribution of keys tion of users, allowing for specific authorized actions by user (select/insert/update/delete). The Key Management System must generate Users can be authenticated by any accepted a unique key for each file, tape, or other data means of the native database. element that needs to be encrypted. Private keys must be generated within the secure Any encrypt/decrypt operation requested by confines of the Key Management System and the user is verified against the policy by the never be transferred outside the Key Man- Enforcement Agent after authorization and agement System unless encrypted with a Key authentication checks have been completed Encryption Key. All keys should be centrally by the database. Under the control of the generated in software or hardware based on authenticated Security Administrator, the sys- the security class for the type of data they pro- tem should generate a Master Key used to tect. encrypt all operational keys.

The key management system must be able to Security data remains ciphered until needed electronically transfer private keys to other for use by crypto-services routines. The mas- trusted key repositories throughout the enter- ter keys and data encryption keys should be prise. This may also be implemented via secured, and their integrity checked. All com- Smart Cards. The security policy should de- munication, external and internal, should be fine where different keys should be stored and encrypted. The system may use public key cached. The master keys are used to encrypt cryptography to exchange the symmetric en- all operational keys that should be stored in cryption keys. The Key Management System cipher text in separated databases. must support tracking of; when keys are cre- ated and deleted; who created and deleted Security metadata and operational encryption them; who used what keys; and what was keys should be kept in cipher text (even when done with the key. stored in memory) until needed for use by crypto-services routines. All communication Key protection and aging both external and internal is encrypted. All Data Protection System services should be Encryption keys should be protected and en- using X.509 certificates and SSL for secure crypted when stored in memory or databases, distribution of encryption keys. Unique keys and during transport between systems and should be generated for each Enforcement system processes. The use of a combination Agent, and should be used when sending in- of software cryptography and specialized formation between system components. cryptographic chipsets, called a Hardware Se- curity Module, can provide a selective added The data encryption method should be based level of protection, and help to balance secu- on different encryption keys for different col- rity, cost, and performance needs. umns, tables, files and directories. An optimal design for Hardware Security Module support Certain fields in a database require a stronger can be based on an optimal combination of level of encryption, and a higher level of pro- hardware and software keys. The supported tection for associated encryption keys. Hardware Security Module should be tamper www.insecuremag.com 62 Encryption keys and security metadata should fresh encryption keys more frequently than the continuously be encrypted and integrity vali- rest of the data. A well designed automated dated – even when communicated between key rotation solution can provide zero down- processes, stored or cached in memory. Se- time by attaching key labels to each record or curity data should remain ciphered until data field in the operation databases and file needed for use by crypto-services routines. systems. The Automated key rotation process can run in background and utilize spare cycles Key Rotation, or more accurately Key Aging, on each available processor on your data is best security practices and required in some servers. The background processing can be governmental regulations and industry initia- assigned a priority level that will complete the tives. More sensitive data and data more ex- key rotation according to the policy that is de- posed systems should be re-encrypted with fined.

Encryption keys and security metadata should continuously be encrypted and integrity validated.

Secure key storage through memory structures for random data is very likely to reveal key material. Well made To maintain a high level of security the end- libraries for use as Native Encryption Services point server platform should provide the go to great efforts to protect keys even in choice to only temporarily cache encrypted memory. Key-encryption keys are used to en- lower level data encryption keys. Key encryp- crypt the key while it is in memory and then tion keys should always be stored encrypted the encrypted key is split into several parts on separated platforms. A central server with a and spread throughout the memory space. hardened standard computing platform to Decoy structures may be created to mimic store the keys can provide a cost effective so- valid key material. Memory holding the key is lution. Keys should be kept in an encrypted quickly zeroed as soon as the cryptographic format in memory (cached) until they are to be operation is finished. These techniques re- used. duce the risk of memory attacks.

Data encryption keys should be stored in en- Separate encryption keys should be used for crypted format in a separate data server along different data. These encryption keys can be with other policy information, optionally on the automatically rotated based on the sensitivity Security Administration System repository or of the protected data. A Dedicated Encryption on the local database where the Enforcement Systems can provide separation between Agent is installed, depending on the opera- processes or servers dedicated to encryption tional requirements and security level of the operations but they are also vulnerable to data that is protected. All keys except the memory attacks. However, a well made Dedi- Master Key should be stored (encrypted) un- cated Encryption System runs only the mini- der the Key Encryption Keys. The Master Key mal number of services. Since web servers, should also be protected while in transient application servers, and databases have no storage or be kept inside the Hardware Secu- place on a dedicated cryptographic engine, rity Module storage, depending on the opera- these common attack points are not a threat. tional requirements and security level of the This severely constrained attack surface data that is protected by the keys. makes it much more difficult to gain the ac- cess needed to launch a memory attack. The Effective protection of memory cached security classification of the protected data will keys help in deciding a topology that will give the right balance between security, performance Memory attacks may be theoretical, but cryp- and scalability for each type of environment tographic keys, unlike most other data in a within an organization. computer memory, are random. Looking www.insecuremag.com 63 Key backup and recovery Management System must be able to survive multiple hardware and site failures and still be A weak link in the security of many networks is able to retrieve the archived keys to unlock the backup process. Often, private keys and encrypted data. The Key Management Sys- certificates are archived unprotected along tem must support creation and management with configuration data from the backend of “split keys,” so that the ability to decrypt servers. The backup key file may be stored in data requires cooperation of multiple persons, clear text or protected only by an administra- each knowing only their part of the key, to re- tive password. This password is often chosen construct the whole key. poorly and/or shared between operators. To take advantage of this weak protection Conclusion mechanism, hackers can simply launch a dic- tionary attack (a series of educated guesses We have reviewed crucial guidelines and best based on dictionary words) to obtain private practices for a Key Management System for keys. data encryption based on the approach of a central point of control for key management To maintain a high level of security and sepa- and distributed encryption and policy en- ration the application data backup files should forcement across applications, databases and be separated from the backup of encrypted file systems. lower level data encryption keys. After keys are created, they must be archived to a se- The solution provides great flexibility by com- cure storage environment where they can be bining the benefits from hardware and soft- kept for long periods of time. Master keys ware based encryption and key management. should be backed up separately. During instal- This approach addresses the requirements for lation, the master key should be generated central security control while providing the and stored on removable media for recovery flexibility to allow security professionals to purposes. deploy encryption at the appropriate place in their infrastructure. It provides the needed Maintaining this media in escrow and/or at balance between advanced security, availabil- your disaster recovery site is best practice. ity, and performance for the combined solu- Backup of keys on the Security Administration tion. System should be performed on a regular ba- sis, usually before and after major policy The concept of separate key domains across changes are realized. a data flow can isolate different systems from a risk perspective and it can also accommo- Backup of the encrypted data encryption keys date for differences in the operational re- should be automated and performed at the quirements. Best practices dictate that we same time as business data backup, using must protect sensitive data at the point of cap- standard database backup and restore proce- ture, as it's transferred also over internal net- dures. Even if policies or keys have changed, works and when it is at rest. or if the Security Administration System is un- available, any Enforcement Agent and its pro- A mature solution for encryption and key tected database may be restored successfully management can provide this higher level of as long as access to the Master Key is pro- protection of information. vided via proper user authentication. The Key

Ulf T. Mattsson is the CTO of Protegrity. Ulf created the initial architecture of Protegrity’s database security technology, for which the company owns several key patents. His extensive IT and security industry experi- ence includes 20 years with IBM as a manager of software development and a consulting resource to IBM's Research and Development organization, in the areas of IT Architecture and IT Security. Ulf holds a degree in electrical engineering from Polhem University, a degree in Finance from University of Stockholm and a mas- ter's degree in physics from Chalmers University of Technology.

For more of his work download earlier issues of (IN)SECURE Magazine.

www.insecuremag.com 64

Handheld USB devices have been a godsend to anyone who wants to take in- formation from one PC to another, but their ease of use also has created a new type of security headache for companies.

The recent explosion in sales of devices such as USB sticks, iPods and PDAs mean they are a common sight in most offices.

Where’s the harm in an iPod, you might ask. trying to break into the corporate network, but Surely the most offensive thing about an iPod employees and partners with easy access to is the often dodgy choice of music coming business information. from it? When you consider that these tiny portable media devices can just as easily be With removable media devices such as MP3 used to remove confidential customer files, players, digital cameras, and PDAs common- there is a clear menace behind the shiny place in companies, uncontrolled use of them chrome exterior. carries a number of risks, from the simple nui- sance factor of the network being used to So what steps should businesses take to pro- store personal files and the risks associated tect themselves against the risks associated with software theft, to the consequences of a with such devices? deliberate attack on the network.

Keep your enemies close. Keep your The storage device is also a simple way for workforce closer. malware to propagate within your network; a user can unwittingly infect the network with a The biggest threat to the integrity of a com- virus that has been transferred from his home pany’s IT security is not some sinister hacker PC by such a device.

www.insecuremag.com 66 The right security strategy inevitably has an adverse effect on business productivity and flexibility It’s a worrying fact that around 80% of IT se- curity incidents occur inside an organization, Striking the right balance and yet an estimated 80% of security spend still goes outside on perimeter defenses such It’s important to have an Acceptable Usage as firewalls, anti-virus, intrusions detection Policy (AUP) in place, so that employees are and content filtering. aware of what they may and may not use in the workplace. However, relying on AUPs Businesses need a formalized control mecha- alone is insufficient – organizations need to nism in place in order to protect critical busi- back up any policy with robust enforcement ness systems and databases for data and IP capabilities. theft. A wholesale ban on portable media devices is If you decide to outlaw USB devices, good not the answer. Certain employees across an luck. This is a difficult proposition, and there's organization will have a perfectly legitimate no foolproof method. Windows 2003 will block need to use removable media, be it a USB USB port access, but critically, will also stop stick to transfer data or a PDA to synchronize USB keyboards, mice and other legitimate diaries. USB devices being used – a move that will not be popular with employees. Simply disabling Not all employees will need such access, so a USB ports is therefore not the answer, as it flexible solution is needed for permissible us- age and blocking unauthorized connections.

David Beesley is managing director of IT security consultancy Network Defence (www.networkdefence.com), which he co-founded in 1996. David has been involved in the IT industry since 1985, responsible for the de- sign and delivery of a number of large LANs and WANs over the past 15 years. David is recognized as a lead- ing IT security expert in the UK and has over 12 years technical experience designing and implementing IT security solutions.

www.insecuremag.com 67 Stephen Northcutt on Security Certification and the SANS Top 20 http://www.net-security.org/article.php?id=1007

Stephen Northcutt, the CEO of the SANS Institute, provides us with an overview of SANS activi- ties, the Internet Storm Center, the SANS Top 20 and the evolution of the IT security market in terms of the growing need for certification. This is a video that anyone wanting to get certified will be interested in.

Anomaly-Based Unsupervised Intrusion Detection http://www.net-security.org/article.php?id=1013

Stefano Zanero talks about anomaly-based unsupervised intrusion detection. In this video he pro- vides an overview of his research into the subject by illustrating how he worked trying to find ways to detect intruders without relying on signatures.

Data Seepage: How to Give Attackers a Roadmap to Your Network http://www.net-security.org/article.php?id=1015

In this video, Robert Graham and David Maynor, the CEO and CTO of Errata Security, talk about how the days of widespread internet attacks are long gone. What's more popular now are more directed or targeted attacks using a variety of different methods. This is where data seepage comes in. Unbeknownst to a lot of mobile professional's laptops, PDAs, even cell phones can be literally bleeding information about a company's internal network.

The Exploit Development Process http://www.net-security.org/article.php?id=1020

Alexander Sotirov is a Vulnerability Researcher at Determina Inc. In this video, made at Black Hat Europe, he discusses on a general note how exploit writers develop exploits. www.insecuremag.com 68

On a regular basis, Cisco Press releases a number of books that are of a great help for both Cisco practitioners, as well as those learning for one of the certifications that this networking leader offers. Over the past couple of years I had access to a vast collection of their titles and while the quality is almost always astounding, there was a clear need for this kind of a "video mentor". Reading through extremely technical topics, understanding dia- grams, snooping through the command line interface commands was never this easy.

The author Kevin Wallace, CCIE No. 7945, is of the most important CCNP topics from the a full-time instructor of Cisco courses. With 17 BSCI, BCMSN, ISCW, and ONT courses, with years of Cisco internet-working experience, thorough explanations from a trusted mentor. Kevin holds a bachelor of science degree in electrical engineering from the University of As you can see from the images accompany- Kentucky. ing this preview, the packaging includes a DVD-ROM with the video course bundled to- The CCNP Video Mentor helps CCNP candi- gether with a booklet covering all the labs con- dates prepare to pass the series of CCNP ex- tained in the video presentations. ams by supplying 16 instructional videos. Each video presents a unique lab scenario, The DVD-ROM sports a spartan but easy to with both visual references and audio expla- use interface that starts of the video course nations of what you should expect to happen with a personal introduction by the author. Af- in a particular lab. ter this short video, you can chose one of the CCNP labs including "Building Scalable Cisco The videos also show how details of the Internetworks", Building Cisco Multilayer command-line interface commands are used Switched Networks", "Implementing Secure to implement the features described in each Converged Wide Area Networks" and "Opti- lab video, along with running commentary. mizing Converged Cisco Networks". The result is a set of videos that explain some www.insecuremag.com 70 All of the separate labs are also personally code, you can also complement your experi- introduced by the author and afterwards split ence by viewing the accompanying PDF files on four specific chapters. While all of the vid- to further understand the topology diagrams eos combine the author's audio with product and the code. screenshots, usage videos, diagrams and

www.insecuremag.com 71 The Cisco Press people really made this video Mac OS X. There is also a HTML+Flash ver- mentor available for multiple platforms, as the sion of the whole class, which targets addi- DVD-ROM root contains auto start applica- tional operating systems. tions for both Microsoft Windows and Apple

Overall, "CCNP Video Mentor" will definitely videos contain quite a lot of in-depth content present itself as the next big step for Cisco provided in an easy to follow way. Press. The

www.insecuremag.com 72 All the videos takes the same basic approach: 3. The network topology used in the video is detailed. 1. The video begins with a description of its 4. Then, for each scenario step: goals. a. The video shows what you should ex- 2. The lab scenario steps are listed, giving an pect from each part of the lab exercise. outline of what you should expect to see and b. The video shows the CLI details of hear during the video. how to configure and verify that the routers and switches are working properly.

www.insecuremag.com 73 According to Aberdeen Group’s "Endpoint Security Strategies Part-1" benchmark report published in November 2006 "Only 22% of the respon- dents agree that they had visibility for the end point compliance to the secu- rity policy, 80% had no idea of the end point compliance". These findings make the situation look pretty dire, and urgent action is demanded of those belonging to 80% in the unprotected category. The new technology on the block is Network Access Control or simply NAC (Cisco’s NAC offering is called Network Admission Control). NAC can help in determining the end point security compliance status and providing for the remediation of these end points which fail compliance checks.

The three cardinal questions for security 3. How do I remediate the endpoints and us- compliance, which every network administra- ers if they fail the above, and present a lay- tor and owner endeavor to answer are: ered “defense in depth” with security tech- nologies in a cooperative environment? 1. How do I stop unauthorized users and end- points from accessing resources on my net- Often these questions remain unanswered, work, whether through wired or wireless and the results are visible in the news and re- means? ports, as evident from analysis by Aberdeen Group. NAC or the end point security solution 2. How do I validate the user’s and endpoint’s can provide the answer to all the above ques- health status? For example: assess the level tions - and more - if designed and configured of operating system patches installed, the properly. This article will provide a clear over- status of the anti-virus application and its cur- view of the Network Access Control or End rency, and other malware detection engines point security technologies. I'll present the and definitions. NAC architecture with the details of major components and their functionality, along with www.insecuremag.com 74 considerations in implementation in real pro- NAC solutions provide the following: duction environments. You’ll get a clear view of the present day NAC techniques in the wild 1. Determines the Security posture of clients. from major vendors, which will assist them in 2. Grants access to various parts of the net- arriving at an optimal NAC based solution for work, depending upon the outcome of first their own environment. step. 3. Remediate compliance failures, and dis- Vendors have promoted NAC solutions lever- tributes policy to endpoints. aging their own product offerings. For exam- ple Cisco’s NAC uses the Cisco PIX firewall, For example, if a policy says to deny access ASA Appliances, Routers and Switches to to endpoints whose patch level is older than perform NAC functions. On the other hand 30 days, then NAC will restrict the access of Microsoft, being the dominant provider of op- those clients which are non compliant for this erating systems, has offered NAC (by the policy, and optionally a remediation process name of NAP, or Network Access Protection) will be invoked to make that client compliant built on the product line offerings such as by downloading and installing required Windows server, Windows XP and recently patches. Microsoft Vista. The three keywords in the NAC process are: I’ll use the terms NAC and endpoint security Identify, Assess and Remediate. interchangeably for your ease.

The figure above shows a high level NAC ar- 1. Endpoints chitecture where the end users access enter- 2. Enforcement points prise resources by wireless, VPN and LAN. 3. Policy and remediation services We have the option of enforcing the policies at the firewall, or at other access device such as The vendor offerings may comprise of a com- a Layer2/3 switch or DHCP server. bination of the above components of NAC. Understanding of these components will allow The fundamental components of a NAC solu- the reader to differentiate vendor offering from tion are: one another in a pragmatic manner. www.insecuremag.com 75 Endpoints Enforcement points

First, there must be a mechanism to deter- Enforcement is the pivotal element of the mine the security posture of the endpoint ma- whole NAC architecture, as all the access de- chine before taking any decision for identity cisions are implemented here. NAC offerings and access management. The endpoint as- from vendors tend to favor their own product sessment technologies currently available in- lines: for example some traditional network clude: companies implement access control on their layer2/3 switch (which may be a difficulty for 1. Agent-less: Nothing is downloaded or in- users who have different brand switches). stalled on the endpoint host. 2. Agent: An application is pre-installed or Here are the possible enforcement options downloaded at the first connection. currently available in the market: 3. ActiveX or browser plug-in: This is down- loaded to the endpoint when connection is at- 1. Inline: includes firewalls, layer 2/3 switches tempted. and purpose built appliances 4. Scanner: performs an IP based vulnerability 2. 802.1X: IEEE standard for port based ac- scan to determine the installed patches, serv- cess control ices etc on the endpoint. 3. DHCP: IP assignment restrictions

The agent-less approach uses an end point’s Inline based enforcement options include administrative account to connect (via Win- firewalls, layer2/3 switches or purpose built dows RPC) to central user management sys- dedicated inline appliances. Some NAC solu- tems for all the end points. The administrative tions offer support for other vendors firewalls overhead is considerable, adding to the cost and switches for enforcement, which is wel- of this approach. In the agent base approach come news for users who have a multi-vendor an agent application is pre-installed or NAC networking infrastructure. prompts for the installation of agent at the first logon of the user to the network. Agents not Some considerations for inline devices are: only assist in determining the posture of the endpoint, but can also do access control and 1. Bandwidth requirements: must support the reporting to the NAC server on the end user traffic and provide future scalability, or else machine, with the built-in firewall. One of the the inline device will become the choke point. disadvantages of the agent-based approach 2. High availability: Some sort of redundancy is that it works on the assumption that the is expected, in case the primary inline device agent will be pre-installed or will be installed fails (and the time associated with fail over). at the first attempt of access to the network, 3. The degree of separation provided between which can be potential source of risk. the endpoints and the business critical sys- tems inside the network. In the scanning method the NAC scans the 4. Reporting from the enforcement device: for end machine and, based on the scan result, both compliant and non complaint endpoints. the posture is determined for the next step of identity and access to network resources. This 802.1X or port based network access control approach may or may not test the endpoint’s is a protocol based on Extensible Access Pro- patch levels, anti-virus definition files status, tocol (EAP), an IEEE standard. New genera- or file/registry value. Another issue is that of tion layer 2/3 switches offer the possibility of the time required to scan an endpoint, which segregating specific IP’s onto a separate may be exacerbated at peak endpoint activity VLAN, and imposing various access control due to simultaneous endpoint scans. With the lists on VLAN traffic. 802.1X has three major ActiveX or browser plug-in technology, the components: the Supplicant, which is the per- plug-in is downloaded on the end point for son or endpoint attempting access, the posture determination and to report the com- Authenticator, which is the device that the pliance status of the end point. The advan- Supplicant is attempting to connect to, and tages of this are comparatively less memory the Authentication server, which holds creden- and CPU overhead. tials. www.insecuremag.com 76 The process of gaining access is: ice is to make the endpoint compliant to the • The end user machine connects to the policy, thus restoring the access to join the Authenticator, which can be a WLAN access network for services in a healthy state. point or a LAN switch. • The Authenticator sets the port to ‘unauthor- The remediation process may be single or ized’, which will only permit 802.1X traffic, and consist of multiple steps. For example, if an requests authentication data from the end- endpoint does not have current anti-virus point. The endpoint returns it’s authentication definition and lacks critical Microsoft patches, data to the Authenticator. then the remediation process directs the end- • The Authenticator knows the Authentication point to the current anti-virus definition and server, and forward to the request to authenti- required Microsoft patches. cation server (typically a RADIUS server). The radius server returns a pass/fail. The endpoint security posture should also be • Once the authentication is successful, the regularly re-tested, so as to remain proactive. Authenticator opens the port for the supplicant The results of this continuous monitoring of to join the network. the endpoint posture and status of compliance must be reported promptly. Another point to DHCP based access restriction works on the consider here is the execution and delivery of premise that the endpoint user will play by the policy, either to the endpoint or enforcement rules of the game. Purely DHCP based re- point. The frequency and protocol for delivery striction may not prove to be effective as it is are equally important in this whole NAC possible to bypass. DHCP assigns quaran- framework. Needless to say the policy has to tined or unknown end points to an IP address be regularly backed-up, and the facility to re- that is restricted by ACL’s on switches/routers. store from backed-up policies should be regu- larly tested. Some of the considerations for the DHCP method of enforcement are: Some considerations for the remediation and 1. Is this secure enough for the environment? policy service are: Requires a risk analysis. 1. Placement and capacity of remediation 2. Is the existing environment’s architecture servers, for example the patch distribution suitable for this enforcement? Possibilities mechanism, etc. here include placing a NAC server inline with 2. Will remediation be self-service, or will be DHCP. performed by help desk? 3. Does it require a significant additional out- 3. How does the remediation server obtain the lay for the equipment? third-party details such as the anti-virus and other malware definition currency, MS patches Policy and remediation service levels, and more. 4. What mechanism is in place for communi- Policy and remediation services are the last cation between the remediation servers and part of NAC picture, though the endpoint as- the policy server? sessment is done against the policy set by administrator at the very start of NAC proc- Conclusion ess. Once the assessment is carried out on the endpoint, and matched against the policy NAC is a rapidly evolving field and holds im- for compliance, the decision to restrict or al- mense promise for the future of endpoint se- low the endpoint is taken. If the endpoint is curity. NAC can deliver lower costs and tools restricted due to a failure to comply with one for the compliance checking and managing or more policies, the endpoint is quarantined. the security posture of endpoints. More ma- ture NAC products can be expected in the fu- The next logical step is to seek to remediate ture with the entry of innovative players into the endpoint. The task of a remediation serv- the market.

Naveen Sharma, CISSP, is working in the Information Security space with a leading IT service provider in Aus- tralia. He has previously worked in networking and telecommunication industry for more than 8 years. He is presently pursuing Masters in Systems Security from Macquarie University in Sydney. His other passions in- clude Linux and table tennis. www.insecuremag.com 77